database: Create oidc_tokens table

Turbo87 · Turbo87 · commit 735558c57fde · 2025-04-25T09:13:58.000+02:00
diff --git a/crates/crates_io_database/src/schema.rs b/crates/crates_io_database/src/schema.rs
@@ -629,6 +629,22 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    /// Temporary access tokens for OIDC-based publishing (aka. Trusted Publishing)
+    oidc_tokens (id) {
+        /// Unique identifier of the `oidc_tokens` row
+        id -> Int8,
+        /// Unique identifier of the crate that can be published using this token
+        crate_id -> Int4,
+        /// SHA256 hash of the token that can be used to publish the crate
+        hashed_token -> Bytea,
+        /// Date and time when the token was created
+        created_at -> Timestamptz,
+        /// Date and time when the token will expire
+        expires_at -> Timestamptz,
+    }
+}
+
 diesel::table! {
     /// List of all processed CDN log files, used to avoid processing the same file multiple times.
     processed_log_files (path) {
@@ -1089,6 +1105,7 @@ diesel::joinable!(emails -> users (user_id));
 diesel::joinable!(follows -> crates (crate_id));
 diesel::joinable!(follows -> users (user_id));
 diesel::joinable!(github_oidc_configs -> crates (crate_id));
+diesel::joinable!(oidc_tokens -> crates (crate_id));
 diesel::joinable!(publish_limit_buckets -> users (user_id));
 diesel::joinable!(publish_rate_overrides -> users (user_id));
 diesel::joinable!(readme_renderings -> versions (version_id));
@@ -1119,6 +1136,7 @@ diesel::allow_tables_to_appear_in_same_query!(
     github_oidc_configs,
     keywords,
     metadata,
+    oidc_tokens,
     processed_log_files,
     publish_limit_buckets,
     publish_rate_overrides,
diff --git a/crates/crates_io_database_dump/src/dump-db.toml b/crates/crates_io_database_dump/src/dump-db.toml
@@ -169,6 +169,15 @@ created_at = "public"
 [metadata.columns]
 total_downloads = "public"
 
+[oidc_tokens]
+dependencies = ["crates"]
+[oidc_tokens.columns]
+id = "private"
+crate_id = "private"
+hashed_token = "private"
+created_at = "private"
+expires_at = "private"
+
 [processed_log_files.columns]
 path = "private"
 time = "private"
diff --git a/migrations/2025-04-15-100719_oidc-tokens/down.sql b/migrations/2025-04-15-100719_oidc-tokens/down.sql
@@ -0,0 +1 @@
+drop table oidc_tokens;
diff --git a/migrations/2025-04-15-100719_oidc-tokens/up.sql b/migrations/2025-04-15-100719_oidc-tokens/up.sql
@@ -0,0 +1,18 @@
+create table oidc_tokens
+(
+    id bigserial primary key,
+    crate_id int not null references crates on delete cascade,
+    hashed_token bytea not null,
+    created_at timestamptz not null default now(),
+    expires_at timestamptz not null
+);
+
+comment on table oidc_tokens is 'Temporary access tokens for OIDC-based publishing (aka. Trusted Publishing)';
+comment on column oidc_tokens.id is 'Unique identifier of the `oidc_tokens` row';
+comment on column oidc_tokens.crate_id is 'Unique identifier of the crate that can be published using this token';
+comment on column oidc_tokens.hashed_token is 'SHA256 hash of the token that can be used to publish the crate';
+comment on column oidc_tokens.created_at is 'Date and time when the token was created';
+comment on column oidc_tokens.expires_at is 'Date and time when the token will expire';
+
+create unique index oidc_tokens_crate_id_hashed_token_uindex
+    on oidc_tokens (crate_id, hashed_token);
