providers/oauth2: fix size limited index for tokens (#11879)

* providers/oauth2: fix size limited index for tokens I preserved the migrations as comments so the index IDs and migration IDs remain searchable without accessing git history. * rename migration file to more descriptive
2024-11-04 18:04:35 +01:00
parent 92fcb42f8a
commit 5198174e08
4 changed files with 68 additions and 30 deletions
--- a/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0019_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,13 +11,16 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]

-    operations = [
-        migrations.AddIndex(
-            model_name="accesstoken",
-            index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="refreshtoken",
-            index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
-        ),
-    ]
+    # Original preserved
+    # See https://github.com/goauthentik/authentik/issues/11874
+    # operations = [
+    #     migrations.AddIndex(
+    #         model_name="accesstoken",
+    #         index=models.Index(fields=["token"], name="authentik_p_token_4bc870_idx"),
+    #     ),
+    #     migrations.AddIndex(
+    #         model_name="refreshtoken",
+    #         index=models.Index(fields=["token"], name="authentik_p_token_1a841f_idx"),
+    #     ),
+    # ]
+    operations = []
--- a/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
+++ b/authentik/providers/oauth2/migrations/0020_remove_accesstoken_authentik_p_token_4bc870_idx_and_more.py
@ -11,21 +11,24 @@ class Migration(migrations.Migration):
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]

-    operations = [
-        migrations.RemoveIndex(
-            model_name="accesstoken",
-            name="authentik_p_token_4bc870_idx",
-        ),
-        migrations.RemoveIndex(
-            model_name="refreshtoken",
-            name="authentik_p_token_1a841f_idx",
-        ),
-        migrations.AddIndex(
-            model_name="accesstoken",
-            index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="refreshtoken",
-            index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
-        ),
-    ]
+    # Original preserved
+    # See https://github.com/goauthentik/authentik/issues/11874
+    # operations = [
+    #     migrations.RemoveIndex(
+    #         model_name="accesstoken",
+    #         name="authentik_p_token_4bc870_idx",
+    #     ),
+    #     migrations.RemoveIndex(
+    #         model_name="refreshtoken",
+    #         name="authentik_p_token_1a841f_idx",
+    #     ),
+    #     migrations.AddIndex(
+    #         model_name="accesstoken",
+    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_f99422_idx"),
+    #     ),
+    #     migrations.AddIndex(
+    #         model_name="refreshtoken",
+    #         index=models.Index(fields=["token", "provider"], name="authentik_p_token_a1d921_idx"),
+    #     ),
+    # ]
+    operations = []
--- a/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
+++ b/authentik/providers/oauth2/migrations/0023_alter_accesstoken_refreshtoken_use_hash_index.py
@ -0,0 +1,31 @@
+# Generated by Django 5.0.9 on 2024-10-31 14:28
+
+import django.contrib.postgres.indexes
+from django.conf import settings
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_providers_oauth2", "0022_remove_accesstoken_session_id_and_more"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_f99422_idx;"),
+        migrations.RunSQL("DROP INDEX IF EXISTS authentik_p_token_a1d921_idx;"),
+        migrations.AddIndex(
+            model_name="accesstoken",
+            index=django.contrib.postgres.indexes.HashIndex(
+                fields=["token"], name="authentik_p_token_e00883_hash"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="refreshtoken",
+            index=django.contrib.postgres.indexes.HashIndex(
+                fields=["token"], name="authentik_p_token_32e2b7_hash"
+            ),
+        ),
+    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -13,6 +13,7 @@ from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite.core import from_dict
+from django.contrib.postgres.indexes import HashIndex
 from django.db import models
 from django.http import HttpRequest
 from django.templatetags.static import static
@ -418,7 +419,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):

    class Meta:
        indexes = [
-            models.Index(fields=["token", "provider"]),
+            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Access Token")
        verbose_name_plural = _("OAuth2 Access Tokens")
@ -464,7 +465,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):

    class Meta:
        indexes = [
-            models.Index(fields=["token", "provider"]),
+            HashIndex(fields=["token"]),
        ]
        verbose_name = _("OAuth2 Refresh Token")
        verbose_name_plural = _("OAuth2 Refresh Tokens")