feat(oauth2): persist configuration to database with display-only masking (#178)

Co-authored-by: nishenghao.nsh <nishenghao.nsh@oceanbase.com>

Author: niiish32x

assets/schema/oauth2_config.sql

@@ -0,0 +1,16 @@
+-- OAuth2 Configuration Table
+-- Stores OAuth2 settings in database for persistence across deployments
+-- Note: client_secret is stored in plain text and masked when displayed
+
+CREATE TABLE IF NOT EXISTS `oauth2_config` (
+  `id` INT NOT NULL AUTO_INCREMENT COMMENT 'Primary key',
+  `config_key` VARCHAR(64) NOT NULL COMMENT 'Configuration key (default: global)',
+  `enabled` TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'OAuth2 enabled flag',
+  `providers_json` TEXT NULL COMMENT 'OAuth2 providers configuration (JSON array)',
+  `admin_users_json` TEXT NULL COMMENT 'Admin users list (JSON array)',
+  `gmt_create` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'Create time',
+  `gmt_modify` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT 'Modify time',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `uk_config_key` (`config_key`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+COMMENT='OAuth2 configuration storage (client_secret masked on display)';

assets/schema/upgrade_oauth2_config.sql

@@ -0,0 +1,14 @@
+-- Upgrade script: Create OAuth2 config table for persistence
+
+CREATE TABLE IF NOT EXISTS `oauth2_config` (
+  `id` INT NOT NULL AUTO_INCREMENT COMMENT 'Primary key',
+  `config_key` VARCHAR(64) NOT NULL COMMENT 'Configuration key (default: global)',
+  `enabled` TINYINT(1) NOT NULL DEFAULT 0 COMMENT 'OAuth2 enabled flag',
+  `providers_json` TEXT NULL COMMENT 'OAuth2 providers configuration (JSON array)',
+  `admin_users_json` TEXT NULL COMMENT 'Admin users list (JSON array)',
+  `gmt_create` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'Create time',
+  `gmt_modify` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT 'Modify time',
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `uk_config_key` (`config_key`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci
+COMMENT='OAuth2 configuration storage (client_secret masked on display)';

assets/schema/upgrade_user_table.sql

@@ -0,0 +1,21 @@
+-- Upgrade script: Add OAuth and role columns to user table
+-- Run this if user table exists but missing columns for OAuth user management
+
+-- Add columns if not exists (MySQL 8.0+)
+ALTER TABLE `user`
+    ADD COLUMN IF NOT EXISTS `oauth_provider` VARCHAR(64) NULL COMMENT 'OAuth2 provider',
+    ADD COLUMN IF NOT EXISTS `oauth_id` VARCHAR(255) NULL COMMENT 'OAuth provider user ID',
+    ADD COLUMN IF NOT EXISTS `email` VARCHAR(255) NULL COMMENT 'User email',
+    ADD COLUMN IF NOT EXISTS `avatar` VARCHAR(512) NULL COMMENT 'Avatar URL',
+    ADD COLUMN IF NOT EXISTS `role` VARCHAR(20) NULL DEFAULT 'normal' COMMENT 'User role: normal/admin',
+    ADD COLUMN IF NOT EXISTS `is_active` INT NOT NULL DEFAULT 1 COMMENT '1=active, 0=disabled',
+    ADD INDEX IF NOT EXISTS `idx_oauth` (`oauth_provider`, `oauth_id`);
+
+-- For older MySQL versions, use separate statements:
+-- ALTER TABLE `user` ADD COLUMN `oauth_provider` VARCHAR(64) NULL COMMENT 'OAuth2 provider';
+-- ALTER TABLE `user` ADD COLUMN `oauth_id` VARCHAR(255) NULL COMMENT 'OAuth provider user ID';
+-- ALTER TABLE `user` ADD COLUMN `email` VARCHAR(255) NULL COMMENT 'User email';
+-- ALTER TABLE `user` ADD COLUMN `avatar` VARCHAR(512) NULL COMMENT 'Avatar URL';
+-- ALTER TABLE `user` ADD COLUMN `role` VARCHAR(20) NULL DEFAULT 'normal' COMMENT 'User role: normal/admin';
+-- ALTER TABLE `user` ADD COLUMN `is_active` INT NOT NULL DEFAULT 1 COMMENT '1=active, 0=disabled';
+-- ALTER TABLE `user` ADD INDEX `idx_oauth` (`oauth_provider`, `oauth_id`);

packages/derisk-app/src/derisk_app/app.py

@@ -164,6 +164,41 @@ def mount_static_files(app: FastAPI, param: ApplicationConfig):
     )
 
 
+def _sync_oauth2_config_from_db():
+    """Sync OAuth2 config from database to runtime config on startup.
+
+    This ensures that after deployment/restart, the OAuth2 configuration
+    stored in database (which survives redeployment) is loaded into
+    the in-memory config used by the application.
+    """
+    try:
+        from derisk_app.config_storage.oauth2_db_storage import get_oauth2_db_storage
+        from derisk.configs.model_config import Config
+
+        db_storage = get_oauth2_db_storage()
+        # Load with actual secrets for runtime use
+        db_oauth2 = db_storage.load_with_secrets()
+
+        if db_oauth2 is not None:
+            # Update the runtime config with database values
+            cfg = Config()
+            if hasattr(cfg, "oauth2"):
+                from derisk_core.config import OAuth2Config
+
+                # Convert dict to OAuth2Config
+                oauth2_config = OAuth2Config(
+                    enabled=db_oauth2.get("enabled", False),
+                    providers=db_oauth2.get("providers", []),
+                    admin_users=db_oauth2.get("admin_users", []),
+                )
+                cfg.oauth2 = oauth2_config
+                logger.info("OAuth2 config loaded from database (secrets loaded for runtime)")
+        else:
+            logger.info("No OAuth2 config in database, using file config")
+    except Exception as e:
+        logger.warning(f"Failed to sync OAuth2 from database: {e}")
+
+
 def initialize_app(param: ApplicationConfig, app: FastAPI, system_app: SystemApp):
     """Initialize app
     If you use gunicorn as a process manager, initialize_app can be invoke in
@@ -191,6 +226,9 @@ def initialize_app(param: ApplicationConfig, app: FastAPI, system_app: SystemApp
         param.service.web.database, web_config.disable_alembic_upgrade
     )
 
+    # Load OAuth2 config from database (if exists) to override file config
+    _sync_oauth2_config_from_db()
+
     from derisk_app.component_configs import initialize_components
 
     initialize_components(

packages/derisk-app/src/derisk_app/config_storage/__init__.py

@@ -0,0 +1,9 @@
+"""Derisk configuration storage modules."""
+
+from .oauth2_db_storage import OAuth2ConfigDao, OAuth2ConfigEntity, get_oauth2_db_storage
+
+__all__ = [
+    "OAuth2ConfigDao",
+    "OAuth2ConfigEntity",
+    "get_oauth2_db_storage",
+]

packages/derisk-app/src/derisk_app/config_storage/oauth2_db_storage.py

@@ -0,0 +1,264 @@
+"""OAuth2 configuration database storage with encryption.
+
+This module provides database persistence for OAuth2 configuration,
+with automatic encryption/decryption of sensitive fields like client_secret.
+"""
+
+import json
+import logging
+from typing import Any, Dict, List, Optional
+
+from cryptography.fernet import Fernet
+from sqlalchemy import Column, DateTime, Integer, String, Text
+
+from derisk._private.config import Config
+from derisk.storage.metadata import BaseDao, Model
+
+logger = logging.getLogger(__name__)
+
+
+class OAuth2ConfigEntity(Model):
+    """OAuth2 configuration entity for database storage (plain text)."""
+
+    __tablename__ = "oauth2_config"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    config_key = Column(
+        String(64),
+        nullable=False,
+        default="global",
+        comment="Configuration key (default: global)",
+    )
+    enabled = Column(
+        Integer,
+        nullable=False,
+        default=0,
+        comment="OAuth2 enabled flag (1=true, 0=false)",
+    )
+    providers_json = Column(
+        Text,
+        nullable=True,
+        comment="OAuth2 providers configuration (JSON array)",
+    )
+    admin_users_json = Column(
+        Text,
+        nullable=True,
+        comment="Admin users list (JSON array)",
+    )
+    gmt_create = Column(DateTime, nullable=True)
+    gmt_modify = Column(DateTime, nullable=True)
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary."""
+        return {
+            "id": self.id,
+            "config_key": self.config_key,
+            "enabled": bool(self.enabled),
+            "providers_json": self.providers_json,
+            "admin_users_json": self.admin_users_json,
+        }
+
+
+class OAuth2ConfigDao(BaseDao[OAuth2ConfigEntity, Any, Any]):
+    """DAO for OAuth2 configuration."""
+
+    def get_by_key(self, config_key: str = "global") -> Optional[OAuth2ConfigEntity]:
+        """Get OAuth2 config by key."""
+        with self.session() as session:
+            return (
+                session.query(OAuth2ConfigEntity)
+                .filter(OAuth2ConfigEntity.config_key == config_key)
+                .first()
+            )
+
+    @staticmethod
+    def _is_masked_secret(secret: str) -> bool:
+        """Check if a secret is masked (e.g., 'abcd****')."""
+        return bool(secret and "****" in secret)
+
+    def _merge_secrets(
+        self,
+        new_providers: List[Dict[str, Any]],
+        old_providers: List[Dict[str, Any]],
+    ) -> List[Dict[str, Any]]:
+        """Merge new providers with old, preserving secrets when new values are masked.
+
+        If new provider's client_secret is masked (e.g., 'abcd****'),
+        use the corresponding old provider's secret (if provider id matches).
+        """
+        if not old_providers:
+            return new_providers
+
+        # Build lookup for old providers by id
+        old_by_id = {p.get("id", ""): p for p in old_providers if p.get("id")}
+
+        merged = []
+        for new_p in new_providers:
+            pid = new_p.get("id", "")
+            new_secret = new_p.get("client_secret", "")
+
+            # If secret is masked and we have old provider with same id
+            if self._is_masked_secret(new_secret) and pid in old_by_id:
+                old_p = old_by_id[pid]
+                old_secret = old_p.get("client_secret", "")
+
+                # Make a copy and replace masked secret with original
+                merged_p = dict(new_p)
+                merged_p["client_secret"] = old_secret
+                merged.append(merged_p)
+            else:
+                # Secret is not masked (new value) or no old provider
+                merged.append(new_p)
+
+        return merged
+
+    def save_or_update(
+        self,
+        enabled: bool,
+        providers: List[Dict[str, Any]],
+        admin_users: List[str],
+        config_key: str = "global",
+    ) -> OAuth2ConfigEntity:
+        """Save or update OAuth2 config (stored in plain text, mask on display)."""
+        from datetime import datetime
+
+        with self.session() as session:
+            entity = (
+                session.query(OAuth2ConfigEntity)
+                .filter(OAuth2ConfigEntity.config_key == config_key)
+                .first()
+            )
+
+            # If entity exists, merge secrets to avoid overwriting with masked values
+            if entity and entity.providers_json:
+                try:
+                    old_providers = json.loads(entity.providers_json)
+                    providers = self._merge_secrets(providers, old_providers)
+                except json.JSONDecodeError:
+                    pass
+
+            # Store providers as plain JSON (client_secret included, unmasked)
+            providers_json = json.dumps(providers, ensure_ascii=False)
+            admin_users_json = json.dumps(admin_users, ensure_ascii=False)
+
+            if entity:
+                entity.enabled = 1 if enabled else 0
+                entity.providers_json = providers_json
+                entity.admin_users_json = admin_users_json
+                entity.gmt_modify = datetime.utcnow()
+            else:
+                entity = OAuth2ConfigEntity(
+                    config_key=config_key,
+                    enabled=1 if enabled else 0,
+                    providers_json=providers_json,
+                    admin_users_json=admin_users_json,
+                    gmt_create=datetime.utcnow(),
+                    gmt_modify=datetime.utcnow(),
+                )
+                session.add(entity)
+
+            session.commit()
+            session.refresh(entity)
+            return entity
+
+    def _mask_providers_for_display(
+        self, providers: List[Dict[str, Any]]
+    ) -> List[Dict[str, Any]]:
+        """Mask sensitive fields (client_secret) for display purposes.
+
+        This returns a copy with client_secret hidden (showing only first 4 chars).
+        The actual secret remains in the database.
+        """
+        if not providers:
+            return []
+
+        masked = json.loads(json.dumps(providers))
+        for provider in masked:
+            secret = provider.get("client_secret", "")
+            if secret and len(secret) > 4:
+                # Show first 4 chars, mask the rest
+                provider["client_secret"] = secret[:4] + "****"
+            elif secret:
+                provider["client_secret"] = "****"
+        return masked
+
+    def get_config(self, config_key: str = "global", mask_secrets: bool = True) -> Optional[Dict[str, Any]]:
+        """Get OAuth2 config from database.
+
+        Args:
+            config_key: Configuration key (default: global)
+            mask_secrets: If True, mask client_secret in providers for display
+        """
+        entity = self.get_by_key(config_key)
+        if not entity:
+            return None
+
+        try:
+            admin_users = (
+                json.loads(entity.admin_users_json)
+                if entity.admin_users_json
+                else []
+            )
+        except json.JSONDecodeError:
+            admin_users = []
+
+        try:
+            providers = json.loads(entity.providers_json or "[]")
+        except json.JSONDecodeError:
+            providers = []
+
+        # Mask secrets if requested (for display purposes)
+        if mask_secrets:
+            providers = self._mask_providers_for_display(providers)
+
+        return {
+            "enabled": bool(entity.enabled),
+            "providers": providers,
+            "admin_users": admin_users,
+        }
+
+    def get_config_with_secrets(self, config_key: str = "global") -> Optional[Dict[str, Any]]:
+        """Get OAuth2 config with actual secrets (for internal use only)."""
+        return self.get_config(config_key, mask_secrets=False)
+
+
+class OAuth2DbStorage:
+    """High-level storage interface for OAuth2 config."""
+
+    def __init__(self):
+        self._dao: Optional[OAuth2ConfigDao] = None
+
+    @property
+    def dao(self) -> OAuth2ConfigDao:
+        if self._dao is None:
+            self._dao = OAuth2ConfigDao()
+        return self._dao
+
+    def load(self, mask_secrets: bool = True) -> Optional[Dict[str, Any]]:
+        """Load OAuth2 config from database."""
+        return self.dao.get_config("global", mask_secrets=mask_secrets)
+
+    def load_with_secrets(self) -> Optional[Dict[str, Any]]:
+        """Load OAuth2 config with actual secrets (for internal use only)."""
+        return self.dao.get_config_with_secrets("global")
+
+    def save(self, enabled: bool, providers: List[Dict], admin_users: List[str]) -> bool:
+        """Save OAuth2 config to database."""
+        try:
+            self.dao.save_or_update(enabled, providers, admin_users, "global")
+            return True
+        except Exception as e:
+            logger.exception(f"Failed to save OAuth2 config: {e}")
+            return False
+
+
+# Singleton instance
+_oauth2_storage: Optional[OAuth2DbStorage] = None
+
+
+def get_oauth2_db_storage() -> OAuth2DbStorage:
+    """Get OAuth2 database storage singleton."""
+    global _oauth2_storage
+    if _oauth2_storage is None:
+        _oauth2_storage = OAuth2DbStorage()
+    return _oauth2_storage

packages/derisk-app/src/derisk_app/initialization/db_model_initialization.py

@@ -30,6 +30,7 @@
 from derisk_serve.mcp.models.models import ServeEntity as MCPServeEntity
 from derisk_serve.channel.models.models import ChannelEntity
 from derisk_app.auth.user_service import UserEntity
+from derisk_app.config_storage.oauth2_db_storage import OAuth2ConfigEntity
 from derisk_app.feature_plugins.user_groups.models import (
     UserGroupEntity,
     UserGroupMemberEntity,
@@ -60,4 +61,5 @@
     UserEntity,
     UserGroupEntity,
     UserGroupMemberEntity,
+    OAuth2ConfigEntity,
 ]