feat: add nonce claim support to oidc server

[steveiliop56]

Summary by CodeRabbit

• New Features

  • Added OpenID Connect nonce support: requests now carry nonce, it's extracted, stored with codes/tokens, and included in ID token claims (also preserved on refresh).

• Chores

  • Database schema and migrations updated to persist nonce for OIDC codes and tokens.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ade21d43-8ad5-47a7-8139-34b82e7ab17d

📥 Commits

Reviewing files that changed from the base of the PR and between ec81214 and dbc7b10.

📒 Files selected for processing (2)

• internal/service/oidc_service.go
• sql/oidc_queries.sql

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/service/oidc_service.go

---

📝 Walkthrough

Walkthrough

Adds OIDC nonce propagation: frontend params and authorize payload include nonce; DB schema, migrations, sqlc mappings, and repository queries/models store nonce; service and controller logic propagate nonce into ID token claims and token storage; GenerateAccessToken now accepts a full code entry.

Changes

Cohort / File(s)	Summary
Frontend OIDC frontend/src/lib/hooks/oidc.ts, frontend/src/pages/authorize-page.tsx	Added nonce to OIDCValues and included nonce in authorize mutation payload.
Migrations internal/assets/migrations/000006_oidc_nonce.up.sql, internal/assets/migrations/000006_oidc_nonce.down.sql	Add/remove nonce TEXT DEFAULT "" to oidc_codes and oidc_tokens.
DB Schema & sqlc config sql/oidc_schemas.sql, sqlc.yml	Schema adds nonce columns; sqlc mappings register nonce as Go string.
SQL + Generated Queries sql/oidc_queries.sql, internal/repository/oidc_queries.sql.go	Create/Select/Update/Delete queries extended to include nonce; CreateOidcCode/CreateOidcToken signatures gain nonce; scans/returns updated.
Repository Models internal/repository/models.go	Added Nonce string fields to OidcCode and OidcToken structs.
Service Logic internal/service/oidc_service.go	Added Nonce to ClaimSet and AuthorizeRequest; generateIDToken signature extended to accept nonce; token generation, storage, and refresh flows propagate nonce; GenerateAccessToken refactored to accept repository.OidcCode.
Controller internal/controller/oidc_controller.go	Updated GenerateAccessToken call to pass the full code entry instead of separate sub/scope params.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Frontend
    participant OIDCController
    participant OIDCService
    participant Database

    Client->>Frontend: Authorization request (includes nonce)
    Frontend->>OIDCController: POST /api/oidc/authorize (nonce)
    OIDCController->>OIDCService: StoreCode(AuthorizeRequest{..., nonce})
    OIDCService->>Database: INSERT OidcCode (code, sub, scope, nonce)
    Database-->>OIDCService: Code stored
    OIDCService-->>OIDCController: authorization code
    OIDCController-->>Frontend: code

    Frontend->>OIDCController: POST /token (code)
    OIDCController->>OIDCService: GenerateAccessToken(code)
    OIDCService->>Database: SELECT OidcCode by code
    Database-->>OIDCService: OidcCode{sub, scope, nonce}
    OIDCService->>OIDCService: generateIDToken(sub, scope, nonce)
    OIDCService->>Database: INSERT OidcToken (access, id, sub, scope, nonce)
    Database-->>OIDCService: Token stored
    OIDCService-->>OIDCController: tokens (access + id)
    OIDCController-->>Frontend: tokens

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• steveiliop56/tinyauth#605: Introduced core OIDC flows and artifacts (authorize-page, hooks, service/controller/repository SQL) that this PR extends by adding nonce propagation.

Poem

🐰 Hopping through claims with a curious nonce,

tucked in the schema, secured at each juncture once.
From frontend to DB, then signed in the light,
I stitch every token—soft paws, code delight.
🥕🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: adding nonce claim support to the OIDC server implementation, which is reflected across all modified files (frontend types, backend service, database schema, and migrations).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/oidc-nonce

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/service/oidc_service.go`:
- Line 424: The call to generateIDToken is passing the wrong
parameter—codeEntry.Sub is used where the scope should be passed; update the
call in the authorization code exchange path (the service.generateIDToken
invocation) to pass codeEntry.Scope as the third argument (keeping
codeEntry.Nonce as the fourth) so the generated ID token receives the correct
scope claim (consistent with the RefreshAccessToken usage that passes
entry.Scope, entry.Nonce).
- Around line 447-455: The CreateOidcToken call is missing the Nonce field in
the CreateOidcTokenParams payload, so persist the nonce by adding Nonce:
codeEntry.Nonce to the params used in service.queries.CreateOidcToken; update
the parameter list where CreateOidcTokenParams is constructed (in the function
containing CreateOidcToken call) so entry.Nonce is stored and later available to
RefreshAccessToken and ID token generation.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e6bcf9 and ec81214.

📒 Files selected for processing (11)

• frontend/src/lib/hooks/oidc.ts
• frontend/src/pages/authorize-page.tsx
• internal/assets/migrations/000006_oidc_nonce.down.sql
• internal/assets/migrations/000006_oidc_nonce.up.sql
• internal/controller/oidc_controller.go
• internal/repository/models.go
• internal/repository/oidc_queries.sql.go
• internal/service/oidc_service.go
• sql/oidc_queries.sql
• sql/oidc_schemas.sql
• sqlc.yml

[codecov]

Codecov Report

❌ Patch coverage is 3.57143% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 15.19%. Comparing base (0e6bcf9) to head (dbc7b10).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/repository/oidc_queries.sql.go	0.00%	14 Missing ⚠️
internal/service/oidc_service.go	0.00%	13 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #686      +/-   ##
==========================================
- Coverage   15.27%   15.19%   -0.08%     
==========================================
  Files          50       50              
  Lines        3673     3692      +19     
==========================================
  Hits          561      561              
- Misses       3055     3074      +19     
  Partials       57       57              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.