From 0eb1a58eb69bcf72bde16549ddefeed58ae4b945 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Thu, 9 Jul 2026 21:47:53 +0200 Subject: [PATCH] Add appwrite OAuth2 provider to migration allow-list Appwrite server is adding a built-in 'appwrite' OAuth2 provider (sign in with Appwrite Cloud). Without an entry in the PROVIDERS allow-list, migrations report "No migration resource for OAuth2 provider 'appwrite'; skipped." Only clientId migrates (to the appwriteAppid attribute); clientSecret is write-only and stays redacted per the existing policy. The OAuth endpoint is hardcoded server-side, so there is no endpoint setting. Co-Authored-By: Claude Fable 5 --- .../Resources/Auth/OAuth2/OAuth2Provider.php | 1 + .../Unit/Resources/OAuth2ProviderTest.php | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 tests/Migration/Unit/Resources/OAuth2ProviderTest.php diff --git a/src/Migration/Resources/Auth/OAuth2/OAuth2Provider.php b/src/Migration/Resources/Auth/OAuth2/OAuth2Provider.php index d291f61b..e029dbdf 100644 --- a/src/Migration/Resources/Auth/OAuth2/OAuth2Provider.php +++ b/src/Migration/Resources/Auth/OAuth2/OAuth2Provider.php @@ -31,6 +31,7 @@ final class OAuth2Provider extends Resource 'keyId' => ['target' => self::TARGET_SECRET, 'key' => 'keyID'], 'teamId' => ['target' => self::TARGET_SECRET, 'key' => 'teamID'], ], + 'appwrite' => ['clientId' => ['target' => self::TARGET_APP_ID]], 'auth0' => ['clientId' => ['target' => self::TARGET_APP_ID], 'endpoint' => ['target' => self::TARGET_SECRET]], 'authentik' => ['clientId' => ['target' => self::TARGET_APP_ID], 'endpoint' => ['target' => self::TARGET_SECRET]], 'autodesk' => ['clientId' => ['target' => self::TARGET_APP_ID]], diff --git a/tests/Migration/Unit/Resources/OAuth2ProviderTest.php b/tests/Migration/Unit/Resources/OAuth2ProviderTest.php new file mode 100644 index 00000000..c24a06cc --- /dev/null +++ b/tests/Migration/Unit/Resources/OAuth2ProviderTest.php @@ -0,0 +1,53 @@ + 'appwrite', + 'enabled' => true, + 'clientId' => 'client-123', + 'clientSecret' => 'super-secret', + ]); + + $this->assertNotNull($provider); + $this->assertEquals('appwrite', $provider->getProviderKey()); + $this->assertTrue($provider->getEnabled()); + $this->assertEquals(['clientId' => 'client-123'], $provider->getSettings()); + $this->assertEquals('client-123', $provider->getDestinationAppId()); + $this->assertEquals([], $provider->getDestinationSecretFields()); + $this->assertTrue($provider->isConfigured()); + } + + public function testFromArrayNeverCopiesSecrets(): void + { + foreach (\array_keys(OAuth2Provider::PROVIDERS) as $providerKey) { + $provider = OAuth2Provider::fromArray($providerKey, [ + 'id' => $providerKey, + 'enabled' => false, + 'clientId' => 'client-123', + 'clientSecret' => 'super-secret', + 'p8File' => 'p8-contents', + ]); + + $this->assertNotNull($provider); + $this->assertArrayNotHasKey('clientSecret', $provider->getSettings(), $providerKey); + $this->assertArrayNotHasKey('p8File', $provider->getSettings(), $providerKey); + } + } + + public function testFromArrayUnknownProvider(): void + { + $this->assertNull(OAuth2Provider::fromArray('unknown', [ + 'id' => 'unknown', + 'enabled' => true, + 'clientId' => 'client-123', + ])); + } +}