extend database

2020-07-21 22:50:11 +02:00 · 2020-07-21 22:50:11 +02:00 · 6d25a0928f
commit 6d25a0928f
parent 8e986c15b2
25 changed files with 896 additions and 502 deletions
--- a/assets/migrations/0_empty.up.sql
+++ b/assets/migrations/0_empty.up.sql
@ -1 +1,6 @@
-- this file is only here so the database can track a completely empty state.
+-- this file is only here so the database can track a completely empty state.
+
+-- pgcrypto adds functions for generating UUIDs.
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+-- citext adds indexable case-insensitive text fields.
+CREATE EXTENSION IF NOT EXISTS "citext";
--- a/assets/migrations/1_user.down.sql
+++ b/assets/migrations/1_user.down.sql
@ -1,4 +1,5 @@
-DROP TABLE "reset";
-DROP TABLE "confirmation";
 DROP TABLE "email";
-DROP TABLE "user";
+
+DROP TABLE "person";
+
+DROP TABLE "identity";
--- a/assets/migrations/1_user.up.sql
+++ b/assets/migrations/1_user.up.sql
@ -1,37 +1,51 @@
-CREATE TABLE "user" (
-  "id"         bigserial NOT NULL,
-  "is_admin"   boolean NOT NULL DEFAULT false,
-  "password"   bytea NULL,
-  "created_at" timestamptz NOT NULL DEFAULT NOW(),
+-- An Identity is any object that can participate as an actor in the system.
+-- It can have groups, permissions, own other objects etc.
+CREATE TABLE "identity" (
+  "id"          bigserial   NOT NULL,
+  "login"       citext      NULL,
+  "passphrase"  bytea       NULL,
+  "totp_secret" text        NULL,
+  "is_admin"    boolean     NOT NULL DEFAULT false,
+  "is_disabled" boolean     NOT NULL DEFAULT false,
+  "created_at"  timestamptz NOT NULL DEFAULT now(),
  PRIMARY KEY ("id")
 );
+CREATE UNIQUE INDEX "identity_login_key" ON "identity" ("login");

+-- A person is a human actor within the system, it is linked to exactly one
+-- identity.
+CREATE TABLE "person" (
+  "identity_id"  bigint NOT NULL,
+  "display_name" text NULL,
+  "first_name"   text NULL,
+  "last_name"    text NULL,
+  "image_url"    text NULL,
+  "zoneinfo"     text NULL,
+  "locale"       text NULL,
+  FOREIGN KEY ("identity_id")
+    REFERENCES "identity" ("id")
+    ON DELETE CASCADE
+    ON UPDATE RESTRICT,
+  PRIMARY KEY ("identity_id")
+);
+
+-- Email is an email address for an identity (most likely for a person),
+-- that may be verified. Zero or one email address assigned to the identity
+-- may be "primary", e.g. used for notifications or login.
 CREATE TABLE "email" (
-  "address"      text NOT NULL,
-  "user_id"      bigint NOT NULL,
-  "created_at"   timestamptz NOT NULL DEFAULT NOW(),
-  FOREIGN KEY ("user_id") REFERENCES "user" ("id") ON DELETE CASCADE,
+  "address"     citext  NOT NULL,
+  "identity_id" bigint  NOT NULL,
+  "is_verified" boolean NOT NULL DEFAULT false,
+  "is_primary"  boolean NOT NULL DEFAULT false,
+  "created_at"  timestamptz NOT NULL DEFAULT now(),
+  FOREIGN KEY ("identity_id")
+    REFERENCES "identity" ("id")
+    ON DELETE CASCADE
+    ON UPDATE RESTRICT,
  PRIMARY KEY ("address")
 );
-CREATE INDEX ON "email" ("user_id");
-
-CREATE TABLE "confirmation" (
-  "email_address" text NOT NULL,
-  "user_id"       bigint NOT NULL,
-  "selector"      text NOT NULL,
-  "verifier"      bytea NOT NULL, -- hashed
-  "expires_at"    timestamptz NOT NULL DEFAULT NOW(),
-  FOREIGN KEY ("user_id") REFERENCES "user" ("id") ON DELETE CASCADE,
-  PRIMARY KEY ("selector")
-);
-CREATE INDEX ON "confirmation" ("user_id");
-
-CREATE TABLE "reset" (
-  "user_id"    bigint NOT NULL,
-  "selector"   text NOT NULL,
-  "verifier"   bytea NOT NULL, -- hashed
-  "expires_at" timestamptz NOT NULL DEFAULT NOW(),
-  FOREIGN KEY ("user_id") REFERENCES "user" ("id") ON DELETE CASCADE,
-  PRIMARY KEY ("selector")
-);
-CREATE UNIQUE INDEX ON "reset" ("user_id");
+CREATE INDEX "email_is_verified_idx" ON "email" ("is_verified")
+  WHERE "is_verified" = true;
+CREATE INDEX "email_identity_id_idx" ON "email" ("identity_id");
+CREATE UNIQUE INDEX "email_is_primary_key" ON "email" ("identity_id", "is_primary")
+  WHERE "is_primary" = true;
--- a/assets/migrations/2_email_tokens.down.sql
+++ b/assets/migrations/2_email_tokens.down.sql
@ -0,0 +1,3 @@
+DROP TABLE "email_confirmation";
+
+DROP TABLE "password_reset";
--- a/assets/migrations/2_email_tokens.up.sql
+++ b/assets/migrations/2_email_tokens.up.sql
@ -0,0 +1,28 @@
+-- Email Confirmation tracks all email confirmations that have been sent out.
+CREATE TABLE "email_confirmation" (
+  "email_address" citext      NOT NULL,
+  "selector"      text        NOT NULL,
+  "verifier"      bytea       NOT NULL,
+  "valid_until"   timestamptz NOT NULL,
+  FOREIGN KEY ("email_address")
+    REFERENCES "email" ("address")
+    ON DELETE CASCADE
+    ON UPDATE RESTRICT,
+  PRIMARY KEY ("email_address")
+);
+CREATE UNIQUE INDEX "email_confirmation_selector_key"
+  ON "email_confirmation" ("selector");
+
+-- Password reset keeps track of the password reset tokens.
+CREATE TABLE "password_reset" (
+  "identity_id" bigserial NOT NULL,
+  "selector"    text  NOT NULL,
+  "verifier"    bytea NOT NULL,
+  "valid_until" timestamptz NOT NULL,
+  FOREIGN KEY ("identity_id")
+    REFERENCES "person" ("identity_id")
+    ON DELETE CASCADE
+    ON UPDATE RESTRICT,
+  PRIMARY KEY ("identity_id")
+);
+CREATE UNIQUE INDEX "password_reset_selector_key" ON "password_reset" ("selector");
--- a/assets/migrations/2_external.up.sql
+++ b/assets/migrations/2_external.up.sql
@ -1,17 +0,0 @@
-CREATE TABLE "external_auth" (
-  "id"           bigserial NOT NULL,
-  "name"         text NOT NULL,
-  "type"         text NOT NULL,
-  "config"       jsonb NOT NULL,
-  PRIMARY KEY ("id")
-);
-CREATE INDEX ON "external_auth" ("type");
-
-CREATE TABLE "external_user" (
-  "external_auth_id" bigint NOT NULL,
-  "foreign_id"       text NOT NULL,
-  "user_id"          bigint NOT NULL,
-  FOREIGN KEY ("user_id") REFERENCES "user" ("id") ON DELETE CASCADE,
-  FOREIGN KEY ("external_auth_id") REFERENCES "external_auth" ("id") ON DELETE CASCADE,
-  PRIMARY KEY ("external_auth_id", "foreign_id")
-);
--- a/assets/migrations/3_external.down.sql
+++ b/assets/migrations/3_external.down.sql
--- a/assets/migrations/3_external.up.sql
+++ b/assets/migrations/3_external.up.sql
@ -0,0 +1,33 @@
+CREATE TABLE "external_auth" (
+  "name"          text NOT NULL,
+  "oidc_url"      text NULL,
+  "auth_url"      text NOT NULL,
+  "token_url"     text NOT NULL,
+  "client_key"    text NOT NULL,
+  "client_secret" text NOT NULL,
+  "created_at"    timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("name")
+);
+CREATE UNIQUE INDEX "external_auth_name_key" ON "external_auth" ("name");
+
+CREATE TABLE "external_user" (
+  "identity_id"        bigint NOT NULL,
+  "external_auth_name" text NOT NULL,
+  "external_id"        text NOT NULL,
+  "auth_token"         text NULL,
+  "refresh_token"      text NULL,
+  "identity_token"     text NULL,
+  FOREIGN KEY ("identity_id")
+    REFERENCES "identity" ("id")
+    ON UPDATE RESTRICT
+    ON DELETE CASCADE,
+  FOREIGN KEY ("external_auth_name")
+    REFERENCES "external_auth" ("name")
+    ON UPDATE CASCADE
+    ON DELETE CASCADE,
+  PRIMARY KEY ("identity_id")
+);
+CREATE INDEX "external_user_external_auth_name_idx"
+  ON "external_user" ("external_auth_name");
+CREATE UNIQUE INDEX "external_user_external_id_key"
+  ON "external_user" ("external_auth_name", "external_id");