fix(auth): harden oauth identity upgrade paths

2026-04-22 14:56:56 +08:00
parent 3d29f7c2fa
commit 36aed35957
32 changed files with 2365 additions and 262 deletions
--- a/backend/ent/schema/auth_identity_schema_test.go
+++ b/backend/ent/schema/auth_identity_schema_test.go
@@ -3,7 +3,9 @@ package schema
 import (
 	"testing"

+	"entgo.io/ent"
 	"entgo.io/ent/entc/load"
+	"entgo.io/ent/schema/field"
 	"github.com/stretchr/testify/require"
 )

@@ -74,6 +76,17 @@ func TestAuthIdentityFoundationSchemas(t *testing.T) {

 	userSchema := requireSchema(t, schemas, "User")
 	requireSchemaFields(t, userSchema, "signup_source", "last_login_at", "last_active_at")
+	signupSource := requireSchemaField(t, userSchema, "signup_source")
+	require.Equal(t, field.TypeString, signupSource.Info.Type)
+	require.True(t, signupSource.Default)
+	require.Equal(t, "email", signupSource.DefaultValue)
+	require.Equal(t, 1, signupSource.Validators)
+
+	validator := requireStringFieldValidator(t, User{}.Fields(), "signup_source")
+	for _, value := range []string{"email", "linuxdo", "wechat", "oidc"} {
+		require.NoError(t, validator(value))
+	}
+	require.Error(t, validator("github"))
 }

 func requireSchema(t *testing.T, schemas map[string]*load.Schema, name string) *load.Schema {
@@ -98,6 +111,37 @@ func requireSchemaFields(t *testing.T, schema *load.Schema, names ...string) {
 	}
 }

+func requireSchemaField(t *testing.T, schema *load.Schema, name string) *load.Field {
+	t.Helper()
+
+	for _, schemaField := range schema.Fields {
+		if schemaField.Name == name {
+			return schemaField
+		}
+	}
+
+	require.Failf(t, "missing schema field", "schema %s should include field %s", schema.Name, name)
+	return nil
+}
+
+func requireStringFieldValidator(t *testing.T, fields []ent.Field, name string) func(string) error {
+	t.Helper()
+
+	for _, entField := range fields {
+		descriptor := entField.Descriptor()
+		if descriptor.Name != name {
+			continue
+		}
+		require.NotEmpty(t, descriptor.Validators, "field %s should include a validator", name)
+		validator, ok := descriptor.Validators[0].(func(string) error)
+		require.True(t, ok, "field %s validator should be func(string) error", name)
+		return validator
+	}
+
+	require.Failf(t, "missing field validator", "schema should include field %s", name)
+	return nil
+}
+
 func requireHasUniqueIndex(t *testing.T, schema *load.Schema, fields ...string) {
 	t.Helper()

--- a/backend/ent/schema/user.go
+++ b/backend/ent/schema/user.go
@@ -1,6 +1,8 @@
 package schema

 import (
+	"fmt"
+
 	"github.com/Wei-Shaw/sub2api/ent/schema/mixins"
 	"github.com/Wei-Shaw/sub2api/internal/domain"

@@ -73,7 +75,14 @@ func (User) Fields() []ent.Field {
 			Optional().
 			Nillable(),
 		field.String("signup_source").
-			MaxLen(20).
+			Validate(func(value string) error {
+				switch value {
+				case "email", "linuxdo", "wechat", "oidc":
+					return nil
+				default:
+					return fmt.Errorf("must be one of email, linuxdo, wechat, oidc")
+				}
+			}).
 			Default("email"),
 		field.Time("last_login_at").
 			Optional().