1 files changed, 26 insertions, 0 deletions

diff --git a/db/migrate/20201209163958_add_code_challenge_to_oauth_access_grants.rb b/db/migrate/20201209163958_add_code_challenge_to_oauth_access_grants.rb
new file mode 100644
index 00000000000..48292cce55b
--- /dev/null
+++ b/db/migrate/20201209163958_add_code_challenge_to_oauth_access_grants.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class AddCodeChallengeToOauthAccessGrants < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column(:oauth_access_grants, :code_challenge, :text, null: true) unless column_exists?(:oauth_access_grants, :code_challenge)
+    # If `code_challenge_method` is 'plain' the length is at most 128 characters as per the spec
+    # https://tools.ietf.org/html/rfc7636#section-4.1
+    # Otherwise the max length of base64(SHA256(code_verifier)) is 44 characters
+    add_text_limit(:oauth_access_grants, :code_challenge, 128, constraint_name: 'oauth_access_grants_code_challenge')
+
+    add_column(:oauth_access_grants, :code_challenge_method, :text, null: true) unless column_exists?(:oauth_access_grants, :code_challenge_method)
+    # Values are either 'plain' or 'S256'
+    add_text_limit(:oauth_access_grants, :code_challenge_method, 5, constraint_name: 'oauth_access_grants_code_challenge_method')
+  end
+
+  def down
+    remove_column(:oauth_access_grants, :code_challenge)
+    remove_column(:oauth_access_grants, :code_challenge_method)
+  end
+end