mix attesto_phoenix.gen.migration (AttestoPhoenix v0.6.1)

Copy Markdown View Source

Generates an Ecto migration that creates the persistence backing the Ecto-based stores ship with attesto_phoenix.

The migration creates four tables, named to match the runtime schemas exactly so a by-the-docs deploy installs tables the Ecto-backed stores can use without modification:

  • attesto_authorization_codes - the authorization code grant store (AttestoPhoenix.Schema.Authorization). Holds one row per issued authorization code (RFC 6749, section 4.1) plus the PKCE binding (RFC 7636), the optional cnf key binding (RFC 7800), the OIDC nonce, mapped claims, and the consumed_at audit marker. Keyed on code_hash (no surrogate id); consulted exactly once at the token endpoint.

  • attesto_refresh_tokens - the refresh token store (AttestoPhoenix.Schema.RefreshToken, RFC 6749, section 6). Each row carries the rotation family_id and generation it belongs to, the consumed/consumed_at idempotency markers, successor retry payload, family_revoked sticky revocation flag, the cnf key binding, mapped claims, and the diagnostic parent_hash, so that reuse of a rotated token can be detected and the whole family revoked (RFC 6819, section 5.2.2.3 - refresh token rotation / replay detection).

  • dpop_nonces - server-issued DPoP nonces (AttestoPhoenix.Schema.DPoPNonce, RFC 9449, section 8). Each row is a single-use nonce carrying issued_at, expires_at, and the used_at consumption marker.

  • dpop_replays - the DPoP proof replay cache keyed by the proof's jti as its PRIMARY KEY (AttestoPhoenix.Schema.DPoPReplay, RFC 9449, section 11.1). A row is the record that a given proof JWT has already been seen within its acceptance window.

Usage

mix attesto_phoenix.gen.migration --repo MyApp.Repo

Options

  • --repo - the Ecto repo module the migration is generated for. May be given more than once to target several repos. When omitted the repos configured for the host application are used (the same resolution mix ecto.gen.migration performs).

  • --table-prefix - an optional prefix applied to every generated table name (for example --table-prefix oauth_ yields oauth_attesto_authorization_codes). Defaults to no prefix. When omitted, the prefix configured for the host (:table_prefix on the AttestoPhoenix.Config keyword the host puts in its application environment) is used so the generated tables match the prefix the Ecto stores read at runtime; the task never invents a prefix.

  • --migrations-path - directory the migration file is written to. Defaults to the repo's priv/<repo>/migrations directory, the same location mix ecto.gen.migration uses.

  • --otp-app - the host application whose environment holds the AttestoPhoenix.Config keyword to read :table_prefix from when --table-prefix is omitted. Optional; without it the default (no prefix) is used.

  • --config-key - the application environment key the host stores its AttestoPhoenix.Config keyword under. Defaults to AttestoPhoenix.Config, matching AttestoPhoenix.Config.from_otp_app/2. Only consulted together with --otp-app.

The generated migration is reversible: up creates the tables and indexes and down drops them.