Massive refactor. Merge forward_auth into App, remove references to unimplemented OIDC federation and SAML features. Add group and user custom claims. Groups now allocate which apps a user can use

db/migrate/20251104014854_add_custom_claims_to_groups_and_users.rb

@@ -0,0 +1,6 @@
+class AddCustomClaimsToGroupsAndUsers < ActiveRecord::Migration[8.1]
+  def change
+    add_column :groups, :custom_claims, :json, default: {}, null: false
+    add_column :users, :custom_claims, :json, default: {}, null: false
+  end
+end

db/migrate/20251104014928_add_forward_auth_fields_to_applications.rb

@@ -0,0 +1,10 @@
+class AddForwardAuthFieldsToApplications < ActiveRecord::Migration[8.1]
+  def change
+    # Add ForwardAuth-specific fields
+    add_column :applications, :domain_pattern, :string
+    add_column :applications, :headers_config, :json, default: {}, null: false
+
+    # Add index on domain_pattern for lookup performance
+    add_index :applications, :domain_pattern, unique: true, where: "domain_pattern IS NOT NULL"
+  end
+end

db/migrate/20251104014955_migrate_forward_auth_rules_to_applications.rb

@@ -0,0 +1,71 @@
+class MigrateForwardAuthRulesToApplications < ActiveRecord::Migration[8.1]
+  def up
+    # Temporarily define models for migration
+    forward_auth_rule_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "forward_auth_rules"
+      has_many :forward_auth_rule_groups, foreign_key: :forward_auth_rule_id, dependent: :destroy
+      has_many :allowed_groups, through: :forward_auth_rule_groups, source: :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    forward_auth_rule_group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "forward_auth_rule_groups"
+      belongs_to :forward_auth_rule, class_name: "MigrateForwardAuthRulesToApplications::ForwardAuthRule"
+      belongs_to :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "groups"
+    end
+
+    application_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "applications"
+      has_many :application_groups, foreign_key: :application_id, dependent: :destroy
+    end
+
+    application_group_class = Class.new(ActiveRecord::Base) do
+      self.table_name = "application_groups"
+      belongs_to :application, class_name: "MigrateForwardAuthRulesToApplications::Application"
+      belongs_to :group, class_name: "MigrateForwardAuthRulesToApplications::Group"
+    end
+
+    # Assign to constants so we can reference them
+    stub_const("MigrateForwardAuthRulesToApplications::ForwardAuthRule", forward_auth_rule_class)
+    stub_const("MigrateForwardAuthRulesToApplications::ForwardAuthRuleGroup", forward_auth_rule_group_class)
+    stub_const("MigrateForwardAuthRulesToApplications::Group", group_class)
+    stub_const("MigrateForwardAuthRulesToApplications::Application", application_class)
+    stub_const("MigrateForwardAuthRulesToApplications::ApplicationGroup", application_group_class)
+
+    # Migrate each ForwardAuthRule to an Application
+    forward_auth_rule_class.find_each do |rule|
+      # Create Application from ForwardAuthRule
+      app = application_class.create!(
+        name: rule.domain_pattern.titleize,
+        slug: rule.domain_pattern.parameterize.presence || "forward-auth-#{rule.id}",
+        app_type: 'forward_auth',
+        domain_pattern: rule.domain_pattern,
+        headers_config: rule.headers_config || {},
+        active: rule.active
+      )
+
+      # Migrate group associations
+      forward_auth_rule_group_class.where(forward_auth_rule_id: rule.id).find_each do |far_group|
+        application_group_class.create!(
+          application_id: app.id,
+          group_id: far_group.group_id
+        )
+      end
+    end
+  end
+
+  def down
+    # Remove all forward_auth applications created by this migration
+    Application.where(app_type: 'forward_auth').destroy_all
+  end
+
+  private
+
+  def stub_const(name, value)
+    parts = name.split("::")
+    parts[0..-2].inject(Object) { |mod, part| mod.const_get(part) }.const_set(parts.last, value)
+  end
+end

db/migrate/20251104015034_remove_role_related_tables_and_columns.rb

@@ -0,0 +1,15 @@
+class RemoveRoleRelatedTablesAndColumns < ActiveRecord::Migration[8.1]
+  def change
+    # Remove join table first (due to foreign keys)
+    drop_table :user_role_assignments if table_exists?(:user_role_assignments)
+
+    # Remove application_roles table
+    drop_table :application_roles if table_exists?(:application_roles)
+
+    # Remove role-related columns from applications
+    remove_column :applications, :role_mapping_mode, :string if column_exists?(:applications, :role_mapping_mode)
+    remove_column :applications, :role_prefix, :string if column_exists?(:applications, :role_prefix)
+    remove_column :applications, :role_claim_name, :string if column_exists?(:applications, :role_claim_name)
+    remove_column :applications, :managed_permissions, :json if column_exists?(:applications, :managed_permissions)
+  end
+end

db/migrate/20251104015104_remove_forward_auth_tables.rb

@@ -0,0 +1,9 @@
+class RemoveForwardAuthTables < ActiveRecord::Migration[8.1]
+  def change
+    # Remove join table first (due to foreign keys)
+    drop_table :forward_auth_rule_groups if table_exists?(:forward_auth_rule_groups)
+
+    # Remove forward_auth_rules table
+    drop_table :forward_auth_rules if table_exists?(:forward_auth_rules)
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
+ActiveRecord::Schema[8.1].define(version: 2025_11_04_015104) do
   create_table "application_groups", force: :cascade do |t|
     t.integer "application_id", null: false
     t.datetime "created_at", null: false
@@ -21,19 +21,6 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
     t.index ["group_id"], name: "index_application_groups_on_group_id"
   end
 
-  create_table "application_roles", force: :cascade do |t|
-    t.boolean "active", default: true
-    t.integer "application_id", null: false
-    t.datetime "created_at", null: false
-    t.text "description"
-    t.string "display_name"
-    t.string "name", null: false
-    t.json "permissions", default: {}
-    t.datetime "updated_at", null: false
-    t.index ["application_id", "name"], name: "index_application_roles_on_application_id_and_name", unique: true
-    t.index ["application_id"], name: "index_application_roles_on_application_id"
-  end
-
   create_table "applications", force: :cascade do |t|
     t.boolean "active", default: true, null: false
     t.string "app_type", null: false
@@ -41,40 +28,22 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
     t.string "client_secret_digest"
     t.datetime "created_at", null: false
     t.text "description"
-    t.json "managed_permissions", default: {}
+    t.string "domain_pattern"
+    t.json "headers_config", default: {}, null: false
     t.text "metadata"
     t.string "name", null: false
     t.text "redirect_uris"
-    t.string "role_claim_name", default: "roles"
-    t.string "role_mapping_mode", default: "disabled", null: false
-    t.string "role_prefix"
     t.string "slug", null: false
     t.datetime "updated_at", null: false
     t.index ["active"], name: "index_applications_on_active"
     t.index ["client_id"], name: "index_applications_on_client_id", unique: true
+    t.index ["domain_pattern"], name: "index_applications_on_domain_pattern", unique: true, where: "domain_pattern IS NOT NULL"
     t.index ["slug"], name: "index_applications_on_slug", unique: true
   end
 
-  create_table "forward_auth_rule_groups", force: :cascade do |t|
-    t.datetime "created_at", null: false
-    t.integer "forward_auth_rule_id", null: false
-    t.integer "group_id", null: false
-    t.datetime "updated_at", null: false
-    t.index ["forward_auth_rule_id"], name: "index_forward_auth_rule_groups_on_forward_auth_rule_id"
-    t.index ["group_id"], name: "index_forward_auth_rule_groups_on_group_id"
-  end
-
-  create_table "forward_auth_rules", force: :cascade do |t|
-    t.boolean "active"
-    t.datetime "created_at", null: false
-    t.string "domain_pattern"
-    t.json "headers_config", default: {}, null: false
-    t.integer "policy"
-    t.datetime "updated_at", null: false
-  end
-
   create_table "groups", force: :cascade do |t|
     t.datetime "created_at", null: false
+    t.json "custom_claims", default: {}, null: false
     t.text "description"
     t.string "name", null: false
     t.datetime "updated_at", null: false
@@ -152,22 +121,11 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
     t.index ["user_id"], name: "index_user_groups_on_user_id"
   end
 
-  create_table "user_role_assignments", force: :cascade do |t|
-    t.integer "application_role_id", null: false
-    t.datetime "created_at", null: false
-    t.json "metadata", default: {}
-    t.string "source", default: "oidc"
-    t.datetime "updated_at", null: false
-    t.integer "user_id", null: false
-    t.index ["application_role_id"], name: "index_user_role_assignments_on_application_role_id"
-    t.index ["user_id", "application_role_id"], name: "index_user_role_assignments_on_user_id_and_application_role_id", unique: true
-    t.index ["user_id"], name: "index_user_role_assignments_on_user_id"
-  end
-
   create_table "users", force: :cascade do |t|
     t.boolean "admin", default: false, null: false
     t.text "backup_codes"
     t.datetime "created_at", null: false
+    t.json "custom_claims", default: {}, null: false
     t.string "email_address", null: false
     t.datetime "last_sign_in_at"
     t.string "password_digest", null: false
@@ -181,9 +139,6 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
 
   add_foreign_key "application_groups", "applications"
   add_foreign_key "application_groups", "groups"
-  add_foreign_key "application_roles", "applications"
-  add_foreign_key "forward_auth_rule_groups", "forward_auth_rules"
-  add_foreign_key "forward_auth_rule_groups", "groups"
   add_foreign_key "oidc_access_tokens", "applications"
   add_foreign_key "oidc_access_tokens", "users"
   add_foreign_key "oidc_authorization_codes", "applications"
@@ -193,6 +148,4 @@ ActiveRecord::Schema[8.1].define(version: 2025_10_26_113035) do
   add_foreign_key "sessions", "users"
   add_foreign_key "user_groups", "groups"
   add_foreign_key "user_groups", "users"
-  add_foreign_key "user_role_assignments", "application_roles"
-  add_foreign_key "user_role_assignments", "users"
 end