utopia-php · premtsd-code · May 26, 2026 · May 28, 2026 · May 28, 2026 · May 28, 2026
diff --git a/src/Migration/Destinations/Appwrite.php b/src/Migration/Destinations/Appwrite.php
@@ -45,6 +45,12 @@
 use Utopia\Migration\Resources\Auth\AuthMethods;
 use Utopia\Migration\Resources\Auth\Hash;
 use Utopia\Migration\Resources\Auth\Membership;
+use Utopia\Migration\Resources\Auth\OAuth2\Apple as OAuth2Apple;
+use Utopia\Migration\Resources\Auth\OAuth2\Google as OAuth2Google;
+use Utopia\Migration\Resources\Auth\OAuth2\Microsoft as OAuth2Microsoft;
+use Utopia\Migration\Resources\Auth\OAuth2\OAuth2Provider;
+use Utopia\Migration\Resources\Auth\OAuth2\StandardProvider as OAuth2Standard;
+use Utopia\Migration\Resources\Auth\OAuth2\WithEndpointProvider as OAuth2WithEndpoint;
 use Utopia\Migration\Resources\Auth\Policies;
 use Utopia\Migration\Resources\Auth\Team;
 use Utopia\Migration\Resources\Auth\User;
@@ -260,6 +266,7 @@ public static function getSupportedResources(): array
             Resource::TYPE_MEMBERSHIP,
             Resource::TYPE_AUTH_METHODS,
             Resource::TYPE_POLICIES,
+            Resource::TYPE_OAUTH2_PROVIDER,
 
             // Database
             Resource::TYPE_DATABASE,
@@ -2196,6 +2203,10 @@ public function importAuthResource(Resource $resource): Resource
                 /** @var Policies $resource */
                 $this->createPolicies($resource);
                 break;
+            case Resource::TYPE_OAUTH2_PROVIDER:
+                /** @var OAuth2Provider $resource */
+                $this->createOAuth2Provider($resource);
+                break;
         }
 
         $resource->setStatus(Resource::STATUS_SUCCESS);
@@ -3548,6 +3559,102 @@ protected function createAuthMethods(AuthMethods $resource): bool
         return true;
     }
 
+    /**
+     * Read-then-merge a single provider's entries on the project's
+     * `oAuthProviders` map, keyed `{providerKey}Appid` / `{providerKey}Secret` /
+     * `{providerKey}Enabled`. The handshake secret is never migrated (see
+     * OAuth2Provider), so `enabled` is propagated as-is and sign-in will fail
+     * until the admin re-enters the secret on the destination.
+     */
+    protected function createOAuth2Provider(OAuth2Provider $resource): bool
+    {
+        $key = $resource::getProviderKey();
+        $project = $this->dbForPlatform->getDocument('projects', $this->projectId);
+        $oAuthProviders = $project->getAttribute('oAuthProviders', []);
+
+        if ($resource instanceof OAuth2Apple) {
+            if ($resource->getServiceId() !== '') {
+                $oAuthProviders[$key . 'Appid'] = $resource->getServiceId();
+            }
+            $oAuthProviders[$key . 'Secret'] = $this->mergeAppleSecret(
+                $oAuthProviders[$key . 'Secret'] ?? '',
+                $resource->getKeyId(),
+                $resource->getTeamId(),
+            );
+        } elseif ($resource instanceof OAuth2Standard) {
+            if ($resource->getClientId() !== '') {
+                $oAuthProviders[$key . 'Appid'] = $resource->getClientId();
+            }
+            // Per-shape extras (endpoint/tenant/prompt) ride inside the JSON secret blob.
+            if ($resource instanceof OAuth2WithEndpoint && $resource->getEndpoint() !== '') {
+                $oAuthProviders[$key . 'Secret'] = $this->mergeJsonSecret(
+                    $oAuthProviders[$key . 'Secret'] ?? '',
+                    ['endpoint' => $resource->getEndpoint()],
+                );
+            } elseif ($resource instanceof OAuth2Microsoft && $resource->getTenant() !== '') {
+                $oAuthProviders[$key . 'Secret'] = $this->mergeJsonSecret(
+                    $oAuthProviders[$key . 'Secret'] ?? '',
+                    ['tenant' => $resource->getTenant()],
+                );
+            } elseif ($resource instanceof OAuth2Google && !empty($resource->getPrompt())) {
+                $oAuthProviders[$key . 'Secret'] = $this->mergeJsonSecret(
+                    $oAuthProviders[$key . 'Secret'] ?? '',
+                    ['prompt' => $resource->getPrompt()],
+                );
+            }
+        }
+
+        $oAuthProviders[$key . 'Enabled'] = $resource->getEnabled();
+
+        $this->dbForPlatform->getAuthorization()->skip(fn () => $this->dbForPlatform->updateDocument(
+            'projects',
+            $this->projectId,
+            new UtopiaDocument(['oAuthProviders' => $oAuthProviders]),
+        ));
+
+        $this->dbForPlatform->purgeCachedDocument('projects', $this->projectId);
+
+        return true;
+    }
+
+    /**
+     * Apple stores its credential as a JSON blob of `{keyID, teamID, p8}`.
+     * Migration carries keyID/teamID (readable) but not p8 (write-only).
+     * Read the destination's existing blob, overlay the migrated fields, keep
+     * the destination's `p8` untouched.
+     */
+    private function mergeAppleSecret(string $existing, string $keyId, string $teamId): string
+    {
+        $fields = [];
+        if ($keyId !== '') {
+            $fields['keyID'] = $keyId;
+        }
+        if ($teamId !== '') {
+            $fields['teamID'] = $teamId;
+        }
+
+        return $this->mergeJsonSecret($existing, $fields);
+    }
+
+    /**
+     * Merge a partial fields map into a JSON-encoded secret blob, preserving
+     * existing keys on the destination and overriding only the migrated ones.
+     *
+     * @param array<string, mixed> $fields
+     */
+    private function mergeJsonSecret(string $existing, array $fields): string
+    {
+        $decoded = $existing === '' ? [] : (\json_decode($existing, true) ?: []);
+        if (!\is_array($decoded)) {
+            $decoded = [];
+        }
+        foreach ($fields as $name => $value) {
+            $decoded[$name] = $value;
+        }
+
+        return \json_encode($decoded) ?: '';
+    }
+
     /**
      * Direct DB write — SDK policy setters reject `total: 0` but `0` is the
      * storage value for "disabled". Shares the `auths` map with

diff --git a/src/Migration/Resource.php b/src/Migration/Resource.php
@@ -73,6 +73,11 @@ abstract class Resource implements \JsonSerializable
 
     public const TYPE_POLICIES = 'policies';
 
+    // One type shared by all OAuth2 provider Resource classes (dispatch is by
+    // `instanceof` on the destination). A per-provider type would overflow the
+    // migration document's 3KB `statusCounters` column when OAuth is selected.
+    public const TYPE_OAUTH2_PROVIDER = 'oauth2-provider';
+
     public const TYPE_ENVIRONMENT_VARIABLE = 'environment-variable';
 
     // Integrations
@@ -131,6 +136,7 @@ abstract class Resource implements \JsonSerializable
         self::TYPE_MEMBERSHIP,
         self::TYPE_AUTH_METHODS,
         self::TYPE_POLICIES,
+        self::TYPE_OAUTH2_PROVIDER,
         self::TYPE_PLATFORM,
         self::TYPE_API_KEY,
         self::TYPE_WEBHOOK,

diff --git a/src/Migration/Resources/Auth/OAuth2/Amazon.php b/src/Migration/Resources/Auth/OAuth2/Amazon.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Amazon extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'amazon';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Apple.php b/src/Migration/Resources/Auth/OAuth2/Apple.php
@@ -0,0 +1,80 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+/**
+ * Apple OAuth2 provider. Bespoke shape — the credential is split across four
+ * fields. `serviceId`/`keyId`/`teamId` are readable on the source and
+ * migrated; `p8File` is write-only and must be re-entered on the destination.
+ */
+class Apple extends OAuth2Provider
+{
+    public function __construct(
+        string $id,
+        bool $enabled,
+        private readonly string $serviceId = '',
+        private readonly string $keyId = '',
+        private readonly string $teamId = '',
+        string $createdAt = '',
+        string $updatedAt = '',
+    ) {
+        parent::__construct($id, $enabled, $createdAt, $updatedAt);
+    }
+
+    /**
+     * @param array<string, mixed> $array
+     */
+    public static function fromArray(array $array): self
+    {
+        return new self(
+            $array['id'],
+            (bool) ($array['enabled'] ?? false),
+            (string) ($array['serviceId'] ?? ''),
+            (string) ($array['keyId'] ?? ''),
+            (string) ($array['teamId'] ?? ''),
+            createdAt: $array['createdAt'] ?? '',
+            updatedAt: $array['updatedAt'] ?? '',
+        );
+    }
+
+    /**
+     * @return array<string, mixed>
+     */
+    public function jsonSerialize(): array
+    {
+        return [
+            'id' => $this->id,
+            'enabled' => $this->enabled,
+            'serviceId' => $this->serviceId,
+            'keyId' => $this->keyId,
+            'teamId' => $this->teamId,
+            'createdAt' => $this->createdAt,
+            'updatedAt' => $this->updatedAt,
+        ];
+    }
+
+    public static function getProviderKey(): string
+    {
+        return 'apple';
+    }
+
+    public function isConfigured(): bool
+    {
+        return $this->enabled || $this->serviceId !== '';
+    }
+
+    public function getServiceId(): string
+    {
+        return $this->serviceId;
+    }
+
+    public function getKeyId(): string
+    {
+        return $this->keyId;
+    }
+
+    public function getTeamId(): string
+    {
+        return $this->teamId;
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Auth0.php b/src/Migration/Resources/Auth/OAuth2/Auth0.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Auth0 extends WithEndpointProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'auth0';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Authentik.php b/src/Migration/Resources/Auth/OAuth2/Authentik.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Authentik extends WithEndpointProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'authentik';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Autodesk.php b/src/Migration/Resources/Auth/OAuth2/Autodesk.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Autodesk extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'autodesk';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Bitbucket.php b/src/Migration/Resources/Auth/OAuth2/Bitbucket.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Bitbucket extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'bitbucket';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Bitly.php b/src/Migration/Resources/Auth/OAuth2/Bitly.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Bitly extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'bitly';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Box.php b/src/Migration/Resources/Auth/OAuth2/Box.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Box extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'box';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Dailymotion.php b/src/Migration/Resources/Auth/OAuth2/Dailymotion.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Dailymotion extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'dailymotion';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Discord.php b/src/Migration/Resources/Auth/OAuth2/Discord.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Discord extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'discord';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Disqus.php b/src/Migration/Resources/Auth/OAuth2/Disqus.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Disqus extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'disqus';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Dropbox.php b/src/Migration/Resources/Auth/OAuth2/Dropbox.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Dropbox extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'dropbox';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Etsy.php b/src/Migration/Resources/Auth/OAuth2/Etsy.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Etsy extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'etsy';
+    }
+}
diff --git a/src/Migration/Resources/Auth/OAuth2/Facebook.php b/src/Migration/Resources/Auth/OAuth2/Facebook.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace Utopia\Migration\Resources\Auth\OAuth2;
+
+class Facebook extends StandardProvider
+{
+    public static function getProviderKey(): string
+    {
+        return 'facebook';
+    }
+}