big oauth improvements

pages/Authorize.vue

@@ -1,37 +1,55 @@
 <template lang='pug'>
-    //- el-card.mt-5
-    //- div(slot='header')
-    //-   h4 <img src='/favicon.ico'/>   App authorization
-    div(v-if='client')
+  el-card.mt-5
+    h4(slot='header') <nuxt-link :to='"/"'><img src='/favicon.ico'/></nuxt-link> {{settings.title}} - {{$t('common.authorize')}}
+    div
       h5 <u>{{$auth.user.email}}</u>
-      p External application <b>{{client.name}}</b> want following permission grants:
+      p External application <code>{{client.name}}</code> want following permission grants:
       ul
-        li(v-for="scope in $route.query.scope.split(' ')") {{scope}}
-      span You will be redirected to <b>{{$route.query.redirect_uri}}</b>
+        li(v-for="s in scope.split(' ')") {{s}}
+      span(v-if='redirect_uri!=="urn:ietf:wg:oauth:2.0:oob"') You will be redirected to <code>{{$route.query.redirect_uri}}</code>
       el-row.mt-3(justify='center')
         el-col(:span='12' :offset='6' style='text-align: center')
           a(:href='authorizeURL')
             el-button.mr-1(plain type='success') {{$t('common.authorize')}}
-          a(to='/')
+          a(href='/')
             el-button.mt-1(plain type='warning') {{$t('common.cancel')}}
 </template>
 
 <script>
-import { mapActions, mapState } from 'vuex'
-import { Message } from 'element-ui'
-import get from 'lodash/get'
+import { mapState } from 'vuex'
 
 export default {
   layout: 'modal',
   name: 'Authorize',
   middleware: ['auth'],
-  async asyncData ({ $axios, query }) {
+  async asyncData ({ $axios, query, error, req }) {
+    const { client_id, redirect_uri, scope, response_type } = query
+    let err = ''
+    if (!client_id) {
+      err = 'client_id is missing'
+    }
+    if (!redirect_uri) {
+      err = 'redirect_uri is missing'
+    }
+    if (!scope || scope !== 'write') {
+      err = 'scope is missing or wrong'
+    }
+    if (!response_type || response_type !== 'code') {
+      err = 'response_type is missing or wrong'
+    }
+
     // retrieve client validity
     try {
-      const client = await $axios.$get(`/client/${query.client_id}`)
-      return { client }
+      const client = await $axios.$get(`/client/${client_id}`)
+      if (!client) {
+        err = 'client not found'
+      }
+      if (err) {
+        return error({ statusCode: 404, message: err })
+      }
+      return { client, redirect_uri, scope, response_type }
     } catch (e) {
-      console.error(e)
+      error({ statusCode: 400, message: 'Something goes wrong with OAuth authorization' })
     }
   },
   data () {

pages/Login.vue

@@ -5,7 +5,7 @@
       p(v-html="$t('login.description')")
       div(v-loading='loading')
 
-        el-input.mb-2(v-model='email' type='email' name='email' prefix-icon='el-icon-user'
+        el-input.mb-2(v-model='email' type='email' title='email' prefix-icon='el-icon-user'
           :placeholder='$t("common.email")' autocomplete='email' ref='email')
 
         el-input.mb-1(v-model='password' @keyup.enter.native="submit"
@@ -41,6 +41,9 @@ export default {
       return !this.email || !this.password
     }
   },
+  mounted () {
+    this.$refs.email.focus()
+  },
   methods: {
     ...mapActions(['login']),
     close () {
@@ -63,8 +66,8 @@ export default {
       try {
         this.loading = true
         await this.$auth.loginWith('local', { data: { email: this.email, password: this.password } })
-        const user = await this.$axios.$get('/auth/user')
-        this.$auth.setUser(user)
+        // const user = await this.$axios.$get('/auth/user')
+        // this.$auth.setUser(user)
         this.loading = false
         Message({ message: this.$t('login.ok'), showClose: true, type: 'success' })
         this.close()

pages/Register.vue

@@ -14,7 +14,6 @@
 
         el-input.mb-2(v-model='user.description' type="textarea" rows='3' :placeholder="$t('common.description')")
 
-      span(slot='footer')
         el-button(plain type="success" :disabled='disabled' @click='register') {{$t('common.send')}} <v-icon name='chevron-right'/>
 </template>
 

pages/add/_edit.vue

@@ -1,5 +1,5 @@
 <template lang="pug">
-  el-main
+  el-main#edit_page
     h5.text-center {{edit?$t('common.edit_event'):$t('common.add_event')}}
     el-form(v-loading='loading')
 
@@ -18,10 +18,11 @@
 
       //- tags
       div {{$t('event.tag_description')}}
+      client-only
         el-select.mb-3(v-model='event.tags' multiple filterable
           @input.native='queryTags=$event.target.value' @change='queryTags=""'
           allow-create default-first-option placeholder='Tag')
-        el-option(v-for='tag in filteredTags' :key='tag' :label='tag' :value='tag')
+          el-option(v-for='tag in filteredTags' :key='tag.tag' :label='tag.tag' :value='tag.tag')
 
       //- WHERE
       el-divider
@@ -69,8 +70,9 @@
           el-radio-button(v-for='whenPattern in whenPatterns' :label='whenPattern.key' :key='whenPatterns.key')
             span {{whenPattern.label}}
 
-      .text-center(inline)
-        el-form-item(:label="$t('event.from')")
+        //- form.el-form.text-center.inline.el-form-inline
+      .text-center
+        el-form-item(:label="$t('event.from')" width='100')
           el-time-select.mr-2(ref='time_start'
             v-model="time.start"
             :picker-options="{ start: '00:00', step: '00:30', end: '24:00'}")
@@ -79,7 +81,6 @@
             :picker-options="{start: '00:00', step: '00:30', end: '24:00'}")
 
       List(v-if='event.type==="normal" && todayEvents.length' :events='todayEvents' :title='$t("event.same_day")')
-      //- el-button.float-right(@click='next' type='succes' :disabled='!couldProceed') {{$t('common.next')}}
 
       //- MEDIA / FLYER / POSTER
       el-divider <v-icon name='image'/> {{$t('common.media')}}
@@ -114,18 +115,6 @@ export default {
   validate ({ store }) {
     return (store.state.auth.loggedIn || store.state.settings.allow_anon_event)
   },
-  // fetch ({ store, $axios }) {
-    // try {
-    // const now = new Date()
-    // const events = await $axios.$get(`/event/${now.getMonth()}/${now.getFullYear()}`)
-    // store.commit('setEvents', events)
-    // const { tags, places } = await $axios.$get('/event/meta')
-    // store.commit('update', { tags, places })
-    // } catch (e) {
-    // console.error('Error ', e)
-    // }
-  //   moment.locale(store.state.locale)
-  // },
   async asyncData ({ params, $axios, error, store }) {
     if (params.edit) {
       const data = { time: {}, event: { place: {} } }
@@ -267,8 +256,9 @@ export default {
     filteredTags () {
       const queryTags = this.queryTags.toLowerCase()
       return _(this.tags)
-        .filter(t => !this.event.tags.includes(t))
-        .filter(t => t.includes(queryTags))
+        .filter(t => !this.event.tags.includes(t.tag))
+        .filter(t => t.tag.includes(queryTags))
+        // .pick('tag')
         .take(5)
         .value()
     },
@@ -418,6 +408,10 @@ i {
   max-width: 600px;
 }
 
+#edit_page .el-form-item {
+    display: inline-flex;
+}
+
 .el-upload,
 .el-upload-dragger {
   overflow: hidden;

pages/embed/_event_id.vue

@@ -61,28 +61,29 @@ export default {
  */
 </script>
 <style lang='less'>
-.embed_event{
-
-a {
-  transition: margin .1s;
-}
-
-a:hover {
-  transform: prospective(10) translateX(10);
-  margin-left: 5px;
-}
-
 .embed_event {
+  transition: margin .1s;
   background-image: url('/favicon.ico');
   background-repeat: no-repeat;
   background-position-x: right;
   background-position-y: bottom;
-  img {
-    width: 150px;
-    object-fit: cover;
-    object-position: top;
-    margin-right: 5px;
-    height: 100%;
+  background-color: #1f1f1f;
+
+  display: inline-block;
+  border: 1px solid #b1a3a3;
+  margin: 0px auto;
+  padding: 0px;
+  width: 400px;
+  height: 210px;
+  overflow: hidden;
+  border-radius: 10px;
+  // transition: all .2s;
+  margin: 0px;
+
+  &:hover {
+    transform: prospective(10) translateX(10);
+    margin-left: 5px;
+    text-decoration: none;
   }
 
   .event-info {
@@ -97,20 +98,13 @@ a:hover {
     }
   }
 
-  background-color: #1f1f1f;
-  display: inline-block;
-  border: 1px solid #b1a3a3;
-  margin: 0px auto;
-  padding: 0px;
-  width: 400px;
-  height: 210px;
-  overflow: hidden;
-  border-radius: 10px;
-  // transition: all .2s;
-  margin: 0px;
+  img {
+    width: 150px;
+    object-fit: cover;
+    object-position: top;
+    margin-right: 5px;
+    height: 100%;
+  }
+
 }
-}
-// .embed_event:hover {
-  // transform: scale(1.03);
-// }
 </style>

pages/event/_id.vue

@@ -39,8 +39,7 @@
             el-menu-item(@click='showEmbed=true') <i class='el-icon-copy-document'></i> {{$t('common.embed')}}
 
             //- TODO (ics of recurrent events)
-            //- el-menu-item(v-if='!event.recurrent')
-            el-menu-item
+            el-menu-item(v-if='!event.recurrent')
               a(:href='`${settings.baseurl}/api/event/${event.id}.ics`') <i class='el-icon-date'></i> {{$t('common.add_to_calendar')}}
           EventAdmin(v-if='is_mine' :event='event')
 
@@ -281,7 +280,7 @@ export default {
       await this.$axios.post('/instances/toggle_user_block', { user_id: resource.apUserApId })
       Message({ message: this.$t('admin.user_blocked', { user: resource.apUserApId }), type: 'success', showClose: true })
     },
-    async deleteResource (resource) {
+    deleteResource (resource) {
       MessageBox.confirm(this.$t('admin.delete_resource_confirm'),
         this.$t('common.confirm'), {
           confirmButtonText: this.$t('common.ok'),

pages/export.vue

@@ -83,18 +83,18 @@ export default {
       }
 
       if (this.filters.places.length) {
-        params.push(`places=${this.filters.places}`)
+        params.push(`places=${this.filters.places.map(p => p.id)}`)
       }
 
       if (this.filters.tags.length) {
-        params.push(`tags=${this.filters.tags}`)
+        params.push(`tags=${this.filters.tags.map(t => t.id)}`)
       }
 
       return `<iframe style='border: 0px; width: 100%;' src="${this.settings.baseurl}/embed/list?${params.join('&')}"></iframe>`
     },
     link () {
-      const tags = this.filters.tags.join(',')
-      const places = this.filters.places.join(',')
+      const tags = this.filters.tags.map(t => t.id).join(',')
+      const places = this.filters.places.map(p => p.id).join(',')
       let query = ''
       if (tags || places) {
         query = '?'

pages/index.vue

@@ -3,13 +3,12 @@
 </template>
 <script>
 import Home from '~/components/Home.vue'
-import Nav from '~/components/Nav.vue'
 import moment from 'moment-timezone'
 import { mapState } from 'vuex'
 
 export default {
   name: 'Index',
-  components: { Nav, Home },
+  components: { Home },
   fetch ({ store }) {
     moment.tz.setDefault(store.state.settings.instance_timezone)
   },

server/api/controller/oauth.js

@@ -1,57 +1,117 @@
 const crypto = require('crypto')
 const { promisify } = require('util')
 const randomBytes = promisify(crypto.randomBytes)
-const { oauth_client: OAuthClient, oauth_token: OAuthToken, 
-  oauth_code: OAuthCode } = require('../models')
+const {
+  oauth_client: OAuthClient, oauth_token: OAuthToken,
+  oauth_code: OAuthCode, user: User
+} = require('../models')
+const debug = require('debug')('oauth')
 
-async function randomString(len = 16) {
-  const bytes = await randomBytes(len*8)
+async function randomString (len = 16) {
+  const bytes = await randomBytes(len * 8)
   return crypto
     .createHash('sha1')
     .update(bytes)
     .digest('hex')
 }
 
-
 const oauthController = {
 
-  async getClient (req, res) {
-    const client_id = req.params.client_id
-    const client = await OAuthClient.findOne({ where: { client_id }})
-    console.error('ma non ho trovato il client ', client_id, client )
-    res.json(client)
-  },
-
+  // create client => http:///gancio.org/oauth#create-client
   async createClient (req, res) {
+    debug('Create client ', req.body.client_name)
+    // only write scope is supported
+    if (req.body.scopes && req.body.scopes !== 'write') {
+      return res.status(422).json({ error: 'Invalid scopes' })
+    }
 
     const client = {
+      id: await randomString(256),
       name: req.body.client_name,
-      redirectUris: req.body.redirect_uris || 'urn:ietf:wg:oauth:2.0:oob',
+      redirectUris: req.body.redirect_uris,
       scopes: req.body.scopes || 'write',
-      client_id: await randomString(256),
+      website: req.body.website,
       client_secret: await randomString(256)
     }
-    res.json(await OAuthClient.create(client))
+
+    try {
+      await OAuthClient.create(client)
+      client.client_id = client.id
+      delete client.id
+      res.json(client)
+    } catch (e) {
+      debug(e)
+      res.status(400).json(e)
+    }
   },
 
-  async associate (req, res) {
-    const { client_id, redirect_uri, response_type } = req.query
-    console.error('dentro associate ', client_id, redirect_uri, response_type )
+  async getClients (req, res) {
+    const tokens = await OAuthToken.findAll({
+      include: [{ model: User, where: { id: req.user.id } }, { model: OAuthClient, as: 'client' }],
+      raw: true,
+      nest: true
+    })
+    res.json(tokens)
   },
 
   model: {
-    async getClient (clientId, clientSecret) {
-      console.error(`model getClient ${clientId} / ${clientSecret}`)
-      const client = await OAuthClient.findByPk(clientId)
-      client.grants = ['authorization_code']
-      return client || false      
+
+    /**
+     * Invoked to retrieve an existing access token previously saved through #saveToken().
+     * https://oauth2-server.readthedocs.io/en/latest/model/spec.html#getaccesstoken-accesstoken-callback
+     * */
+    async getAccessToken (accessToken) {
+      const oauth_token = await OAuthToken.findByPk(accessToken,
+        { include: [User, { model: OAuthClient, as: 'client' }], nest: true, raw: true })
+      return oauth_token
     },
 
-    async saveAuthorizationCode(code, client, user) {
-      console.error('dentro save auth code ', client, user, code)
+    /**
+     * Invoked to retrieve a client using a client id or a client id/client secret combination, depending on the grant type.
+     */
+    async getClient (client_id, client_secret) {
+      const client = await OAuthClient.findByPk(client_id, { raw: true })
+      if (client_secret && client_secret !== client.client_secret) {
+        return false
+      }
+
+      if (client) { client.grants = ['authorization_code'] }
+
+      return client
+    },
+
+    async getRefreshToken (refresh_token) {
+      const oauth_token = await OAuthToken.findOne({ where: { refresh_token }, raw: true })
+      return oauth_token
+    },
+
+    async getAuthorizationCode (code) {
+      const oauth_code = await OAuthCode.findByPk(code,
+        { include: [User, { type: OAuthClient, as: 'client' }], nest: true, raw: true })
+      return oauth_code
+    },
+
+    async saveToken (token, client, user) {
+      token.userId = user.id
+      token.oauthClientId = client.id
+      const oauth_token = await OAuthToken.create(token)
+      oauth_token.client = client
+      oauth_token.user = user
+      return oauth_token
+    },
+
+    async revokeAuthorizationCode (code) {
+      const oauth_code = await OAuthCode.findByPk(code)
+      return oauth_code.destroy()
+    },
+
+    async saveAuthorizationCode (code, client, user) {
+      code.userId = user.id
+      code.oauthClientId = client.id
       const ret = await OAuthCode.create(code)
       return ret
     }
+
   }
 }
 

server/api/index.js

@@ -11,6 +11,7 @@ const instanceController = require('./controller/instance')
 const apUserController = require('./controller/ap_user')
 const resourceController = require('./controller/resource')
 const oauthController = require('./controller/oauth')
+const oauth = require('./oauth')
 
 const storage = require('./storage')
 const upload = multer({ storage })
@@ -82,7 +83,7 @@ api.get('/event/:event_id.:format?', cors, eventController.get)
 api.get('/export/:type', cors, exportController.export)
 
 // get events in this range
-api.get('/event/:month/:year', cors, eventController.getAll)
+// api.get('/event/:month/:year', cors, eventController.getAll)
 api.get('/event', cors, eventController.select)
 
 api.get('/instances', isAdmin, instanceController.getAll)
@@ -93,9 +94,12 @@ api.put('/resources/:resource_id', isAdmin, resourceController.hide)
 api.delete('/resources/:resource_id', isAdmin, resourceController.remove)
 api.get('/resources', isAdmin, resourceController.getAll)
 
-api.get('/client/:client_id', isAuth, oauthController.getClient)
+api.get('/clients', isAuth, oauthController.getClients)
 api.post('/client', oauthController.createClient)
 
+// api.get('/verify', oauth.oauthServer.authenticate(), (req, res) => {
+// })
+
 // Handle 404
 api.use((req, res) => {
   debug('404 Page not found: %s', req.path)
@@ -104,7 +108,7 @@ api.use((req, res) => {
 
 // Handle 500
 api.use((error, req, res, next) => {
-  debug(error)
+  debug(error.toString())
   res.status(500).send('500: Internal Server Error')
 })
 

server/api/models/oauth_client.js

@@ -1,19 +1,17 @@
 
 module.exports = (sequelize, DataTypes) => {
   const OAuthClient = sequelize.define('oauth_client', {
-    client_id: {
+    id: {
       type: DataTypes.STRING,
-      primaryKey: true
+      primaryKey: true,
+      allowNull: false
     },
     name: DataTypes.STRING,
-    scopes: DataTypes.STRING,
     client_secret: DataTypes.STRING,
-    redirectUris: DataTypes.STRING
+    scopes: DataTypes.STRING,
+    redirectUris: DataTypes.STRING,
+    website: DataTypes.STRING
   }, {})
 
-  OAuthClient.associate = function (models) {
-    OAuthClient.belongsTo(models.user)
-  }
-
   return OAuthClient
 }

server/api/models/oauth_code.js

@@ -5,13 +5,14 @@ module.exports = (sequelize, DataTypes) => {
       type: DataTypes.STRING,
       primaryKey: true
     },
+    expiresAt: DataTypes.DATE,
     scope: DataTypes.STRING,
     redirect_uri: DataTypes.STRING
   }, {})
 
   OAuthCode.associate = function (models) {
     OAuthCode.belongsTo(models.user)
-    OAuthCode.belongsTo(models.oauth_client)
+    OAuthCode.belongsTo(models.oauth_client, { as: 'client' })
   }
 
   return OAuthCode

server/api/models/oauth_token.js

@@ -1,14 +1,30 @@
 
 module.exports = (sequelize, DataTypes) => {
   const OAuthToken = sequelize.define('oauth_token', {
-    access_token: DataTypes.STRING,
-    refresh_token: DataTypes.STRING,
-    scope: DataTypes.STRING,
+    accessToken: {
+      type: DataTypes.STRING,
+      allowNull: false,
+      primaryKey: true
+    },
+    accessTokenExpiresAt: {
+      type: DataTypes.DATE,
+      get () {
+        return new Date(this.getDataValue('accesTokenExpiresAt'))
+      }
+    },
+    refreshToken: DataTypes.STRING,
+    refreshTokenExpiresAt: {
+      type: DataTypes.DATE,
+      get () {
+        return new Date(this.getDataValue('accesTokenExpiresAt'))
+      }
+    },
+    scope: DataTypes.STRING
   }, {})
 
   OAuthToken.associate = function (models) {
     OAuthToken.belongsTo(models.user)
-    OAuthToken.belongsTo(models.oauth_client)
+    OAuthToken.belongsTo(models.oauth_client, { as: 'client' })
   }
 
   return OAuthToken

server/api/oauth.js

@@ -2,41 +2,36 @@ const express = require('express')
 const OAuthServer = require('express-oauth-server')
 const oauth = express.Router()
 const oauthController = require('./controller/oauth')
+const debug = require('debug')('oauth')
 
 const oauthServer = new OAuthServer({
   model: oauthController.model,
+  allowEmptyState: true,
   useErrorHandler: true,
+  continueMiddleware: false,
   debug: true,
-  authenticateHandler: { handle(req) { return req.user } }
+  authenticateHandler: {
+    handle (req) {
+      if (!req.user) {
+        throw new Error('Not authenticated!')
+      }
+      return req.user
+    }
+  }
 })
 
-oauth.oauth = oauthServer
-oauth.use(express.urlencoded({ extended: false }))
+oauth.oauthServer = oauthServer
 oauth.use(express.json())
+oauth.use(express.urlencoded({ extended: false }))
 
-// post token
 oauth.post('/token', oauthServer.token())
 
-oauth.get('/authorize', async (req, res, next) => {
-  if (!req.user) {
-    return res.redirect(`/login?redirect=${req.path}&client_id=${req.query.client_id}&redirect_uri=${req.query.redirect_uri}`)
-  }
-
-  return oauthServer.authorize()
-})
-
-oauth.post('/authorize', (req, res, next) => {
-  if (!req.user) {
-    return res.redirect(`/login?redirect=${req.path}&client_id=${req.query.client_id}&redirect_uri=${req.query.redirect_uri}`)
-  }
-  
-  return oauthServer.authorize()
-})
+oauth.get('/authorize', oauthServer.authorize())
 
 oauth.use((err, req, res, next) => {
-  res.status(500).json(err)
+  const error_msg = err.toString()
+  debug(err)
+  res.status(500).send(error_msg)
 })
 
-// oauth.post('/login', )
-
 module.exports = oauth

server/helpers.js

@@ -42,11 +42,9 @@ module.exports = {
     moment.tz.setDefault(req.settings.instance_timezone)
 
     // TODO: oauth
-    // auth
     jwt(req, res, async () => {
       if (!req.user) { return next() }
-      req.user = await User.findOne({
-        where: { id: req.user.id, is_active: true } })
+      req.user = await User.findOne({ where: { id: req.user.id, is_active: true } })
       next()
     })
   }

server/migrations/20191226001504-oauth_client.js

@@ -2,25 +2,18 @@
 module.exports = {
   up: (queryInterface, Sequelize) => {
     return queryInterface.createTable('oauth_clients', {
-      client_id: {
-        type: Sequelize.STRING,
-        primaryKey: true
+      id: {
+        allowNull: false,
+        primaryKey: true,
+        type: Sequelize.STRING
       },
       name: Sequelize.STRING,
-      scopes: Sequelize.STRING,
       client_secret: Sequelize.STRING,
+      scopes: Sequelize.STRING,
       redirectUris: Sequelize.STRING,
+      website: Sequelize.STRING,
       createdAt: { type: Sequelize.DATE, allowNull: false },
-      updatedAt: { type: Sequelize.DATE, allowNull: false },
-      userId: {
-        type: Sequelize.INTEGER,
-        references: {
-          model: 'users',
-          key: 'id'
-        },
-        onUpdate: 'CASCADE',
-        onDelete: 'CASCADE'
-      },
+      updatedAt: { type: Sequelize.DATE, allowNull: false }
     })
   },
 

server/migrations/20191226102934-oauth_code.js

@@ -6,15 +6,16 @@ module.exports = {
         type: Sequelize.STRING,
         primaryKey: true
       },
+      expiresAt: Sequelize.DATE,
       scope: Sequelize.STRING,
       redirect_uri: Sequelize.STRING,
       createdAt: { type: Sequelize.DATE, allowNull: false },
       updatedAt: { type: Sequelize.DATE, allowNull: false },
-      oauthClientClientId: {
-        type: Sequelize.INTEGER,
+      clientId: {
+        type: Sequelize.STRING,
         references: {
           model: 'oauth_clients',
-          key: 'client_id'
+          key: 'id'
         },
         onUpdate: 'CASCADE',
         onDelete: 'CASCADE'
@@ -27,7 +28,7 @@ module.exports = {
         },
         onUpdate: 'CASCADE',
         onDelete: 'CASCADE'
-      },
+      }
     })
   },
 

server/migrations/20200119003226-oauth_token.js

@@ -0,0 +1,45 @@
+module.exports = {
+  up: (queryInterface, Sequelize) => {
+    return queryInterface.createTable('oauth_tokens', {
+      accessToken: {
+        allowNull: false,
+        primaryKey: true,
+        type: Sequelize.STRING
+      },
+      accessTokenExpiresAt: Sequelize.DATE,
+      refreshToken: Sequelize.STRING,
+      refreshTokenExpiresAt: Sequelize.DATE,
+      scope: Sequelize.STRING,
+      createdAt: { type: Sequelize.DATE, allowNull: false },
+      updatedAt: { type: Sequelize.DATE, allowNull: false },
+      clientId: {
+        type: Sequelize.STRING,
+        references: {
+          model: 'oauth_clients',
+          key: 'id'
+        },
+        onUpdate: 'CASCADE',
+        onDelete: 'CASCADE'
+      },
+      userId: {
+        type: Sequelize.INTEGER,
+        references: {
+          model: 'users',
+          key: 'id'
+        },
+        onUpdate: 'CASCADE',
+        onDelete: 'CASCADE'
+      }
+    })
+  },
+
+  down: (queryInterface, Sequelize) => {
+    /*
+      Add reverting commands here.
+      Return a promise to correctly handle asynchronicity.
+
+      Example:
+      */
+    return queryInterface.dropTable('oauth_tokens')
+  }
+}