Add OAuth providers migration#191
Merged
Merged
Conversation
…nto add-oauth-providers-migration
3 tasks
Contributor
Greptile SummaryThis PR introduces OAuth2 provider configuration migration between Appwrite projects. It adds a new
Confidence Score: 5/5The change is safe to merge; it adds a self-contained new migration path with no modifications to existing resource types or write paths. The core logic — allow-list field mapping, conditional secret merging, and isConfigured filtering — is correct and consistent with how auth methods and policies are handled in the same codebase. The null guard on listOAuth2Providers().providers is present, and mergeJsonSecret correctly short-circuits on empty fields. No files require special attention; the implementation is straightforward and mirrors established patterns in the codebase. Important Files Changed
Reviews (24): Last reviewed commit: "Remove OAuth provider unit tests" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
…oved oAuthProviders off Models\Project)
… broken sign-in flow)
… non-secret fields
…atus counter size limit)
- Destination: dispatch via explicit case Resource::TYPE_OAUTH2_PROVIDER instead of default + instanceof - Source: count in report() directly like sibling resources (drop try/catch), and move the in_array guard inside the export try - Harden mergeAppleSecret/mergeJsonSecret against non-array decoded JSON - Fix stale OAuth2Provider docblock (single shared TYPE, not per-subclass)
- mergeAppleSecret now delegates to mergeJsonSecret (one merge implementation) - exportOAuth2Providers surfaces providers with no Resource class as non-fatal errors instead of dropping them silently - report() counts only migratable providers; fix the misleading enabled comment - use elseif for the mutually-exclusive provider-shape branches - add AppwriteOAuth2SecretTest (secret-merge) and OAuth2ProviderTransferTest (transfer round-trip via MockSource/MockDestination)
…rage Other migration resources (auth methods, policies, …) ship no per-resource tests in this library; keep OAuth2 consistent with that baseline.
…these; were unmapped)
abnegate
reviewed
Jun 3, 2026
Member
There was a problem hiding this comment.
Can we generalize and have 1 class for all? Much easier to maintain
Replace the per-provider class hierarchy (OAuth2Provider base + StandardProvider/WithEndpointProvider + ~40 one-line subclasses) with a single OAuth2Provider class driven by a `providerKey => non-secret fields` map. Addresses review feedback to have one class for all providers. - Source dispatch: drop the 42-entry class registry + oauth2ClassFor(); build providers via OAuth2Provider::fromArray($key, $payload). - Destination dispatch: replace the instanceof chain with a key check (Apple) + data-driven settings routing for endpoint/tenant/prompt. - The field map doubles as a secret allow-list: only declared non-secret fields are copied off the listOAuth2Providers payload, so a future upstream secret field cannot leak into the migration. Net 44 fewer files. Pint, PHPStan level 3, and the Unit suite all pass.
- Remove unused getSetting(); getDestinationAppId/SecretFields cover all callers. - getDestinationAppId() now returns ?string (null when unset), so the destination drops its duplicate isEmptyOAuth2Setting() helper and isConfigured() reads as `enabled || appId !== null`. - Document the PROVIDERS target/key routing so adding a provider is self-explanatory.
abnegate
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TYPE_OAUTH_PROVIDERStoGROUP_AUTH_RESOURCESfor migrating the project's OAuth2 provider configuration map.Sources/Appwrite) reads$project->oAuthProvidersand emits oneOAuthProviderssingleton carryingkey/enabled/appIdfor each provider.Destinations/Appwrite) merges the entries into the project doc'soAuthProvidersmap as flat{key}Enabled/{key}Appidkeys viadbForPlatform(mirrors the destination path used byauth-methods/policies).{key}Secretis intentionally not migrated — the source API never exposes secrets and the destination user must re-enter them post-migration. Same caveat as the SMTP password handling.GROUP_AUTH(notGROUP_INTEGRATIONS) — OAuth providers are auth methods that happen to use external identity providers; same group asTYPE_AUTH_METHODSandTYPE_POLICIES.Test plan
testAppwriteMigrationOAuthProviders(in appwrite/appwrite) passes