feat(database): support for postgres (#3998)

* beginning with postgres statements * try pgx * use pgx * database * init works for postgres * arrays working * init for cockroach * init * start tests * tests * TESTS * ch * ch * chore: use go 1.18 * read stmts * fix typo * tests * connection string * add missing error handler * cleanup * start all apis * go mod tidy * old update * switch back to minute * on conflict * replace string slice with `database.StringArray` in db models * fix tests and start * update go version in dockerfile * setup go * clean up * remove notification migration * update * docs: add deploy guide for postgres * fix: revert sonyflake * use `database.StringArray` for daos * use `database.StringArray` every where * new tables * index naming, metadata primary key, project grant role key type * docs(postgres): change to beta * chore: correct compose * fix(defaults): add empty postgres config * refactor: remove unused code * docs: add postgres to self hosted * fix broken link * so? * change title * add mdx to link * fix stmt * update goreleaser in test-code * docs: improve postgres example * update more projections * fix: add beta log for postgres * revert index name change * prerelease * fix: add sequence to v1 "reduce paniced" * log if nil * add logging * fix: log output * fix(import): check if org exists and user * refactor: imports * fix(user): ignore malformed events * refactor: method naming * fix: test * refactor: correct errors.Is call * ci: don't build dev binaries on main * fix(go releaser): update version to 1.11.0 * fix(user): projection should not break * fix(user): handle error properly * docs: correct config example * Update .releaserc.js * Update .releaserc.js Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Elio Bischof <eliobischof@gmail.com>
2025-08-11 20:57:31 +00:00 · 2022-08-31 09:52:43 +02:00
parent d6c9815945
commit 77b4fc5487
189 changed files with 3401 additions and 2956 deletions
--- a/internal/query/app_test.go
+++ b/internal/query/app_test.go
@@ -9,104 +9,103 @@ import (
 	"testing"
 	"time"

-	"github.com/lib/pq"
-
+	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	errs "github.com/zitadel/zitadel/internal/errors"
 )

 var (
-	expectedAppQuery = regexp.QuoteMeta(`SELECT projections.apps.id,` +
-		` projections.apps.name,` +
-		` projections.apps.project_id,` +
-		` projections.apps.creation_date,` +
-		` projections.apps.change_date,` +
-		` projections.apps.resource_owner,` +
-		` projections.apps.state,` +
-		` projections.apps.sequence,` +
+	expectedAppQuery = regexp.QuoteMeta(`SELECT projections.apps2.id,` +
+		` projections.apps2.name,` +
+		` projections.apps2.project_id,` +
+		` projections.apps2.creation_date,` +
+		` projections.apps2.change_date,` +
+		` projections.apps2.resource_owner,` +
+		` projections.apps2.state,` +
+		` projections.apps2.sequence,` +
 		// api config
-		` projections.apps_api_configs.app_id,` +
-		` projections.apps_api_configs.client_id,` +
-		` projections.apps_api_configs.auth_method,` +
+		` projections.apps2_api_configs.app_id,` +
+		` projections.apps2_api_configs.client_id,` +
+		` projections.apps2_api_configs.auth_method,` +
 		// oidc config
-		` projections.apps_oidc_configs.app_id,` +
-		` projections.apps_oidc_configs.version,` +
-		` projections.apps_oidc_configs.client_id,` +
-		` projections.apps_oidc_configs.redirect_uris,` +
-		` projections.apps_oidc_configs.response_types,` +
-		` projections.apps_oidc_configs.grant_types,` +
-		` projections.apps_oidc_configs.application_type,` +
-		` projections.apps_oidc_configs.auth_method_type,` +
-		` projections.apps_oidc_configs.post_logout_redirect_uris,` +
-		` projections.apps_oidc_configs.is_dev_mode,` +
-		` projections.apps_oidc_configs.access_token_type,` +
-		` projections.apps_oidc_configs.access_token_role_assertion,` +
-		` projections.apps_oidc_configs.id_token_role_assertion,` +
-		` projections.apps_oidc_configs.id_token_userinfo_assertion,` +
-		` projections.apps_oidc_configs.clock_skew,` +
-		` projections.apps_oidc_configs.additional_origins` +
-		` FROM projections.apps` +
-		` LEFT JOIN projections.apps_api_configs ON projections.apps.id = projections.apps_api_configs.app_id` +
-		` LEFT JOIN projections.apps_oidc_configs ON projections.apps.id = projections.apps_oidc_configs.app_id`)
-	expectedAppsQuery = regexp.QuoteMeta(`SELECT projections.apps.id,` +
-		` projections.apps.name,` +
-		` projections.apps.project_id,` +
-		` projections.apps.creation_date,` +
-		` projections.apps.change_date,` +
-		` projections.apps.resource_owner,` +
-		` projections.apps.state,` +
-		` projections.apps.sequence,` +
+		` projections.apps2_oidc_configs.app_id,` +
+		` projections.apps2_oidc_configs.version,` +
+		` projections.apps2_oidc_configs.client_id,` +
+		` projections.apps2_oidc_configs.redirect_uris,` +
+		` projections.apps2_oidc_configs.response_types,` +
+		` projections.apps2_oidc_configs.grant_types,` +
+		` projections.apps2_oidc_configs.application_type,` +
+		` projections.apps2_oidc_configs.auth_method_type,` +
+		` projections.apps2_oidc_configs.post_logout_redirect_uris,` +
+		` projections.apps2_oidc_configs.is_dev_mode,` +
+		` projections.apps2_oidc_configs.access_token_type,` +
+		` projections.apps2_oidc_configs.access_token_role_assertion,` +
+		` projections.apps2_oidc_configs.id_token_role_assertion,` +
+		` projections.apps2_oidc_configs.id_token_userinfo_assertion,` +
+		` projections.apps2_oidc_configs.clock_skew,` +
+		` projections.apps2_oidc_configs.additional_origins` +
+		` FROM projections.apps2` +
+		` LEFT JOIN projections.apps2_api_configs ON projections.apps2.id = projections.apps2_api_configs.app_id` +
+		` LEFT JOIN projections.apps2_oidc_configs ON projections.apps2.id = projections.apps2_oidc_configs.app_id`)
+	expectedAppsQuery = regexp.QuoteMeta(`SELECT projections.apps2.id,` +
+		` projections.apps2.name,` +
+		` projections.apps2.project_id,` +
+		` projections.apps2.creation_date,` +
+		` projections.apps2.change_date,` +
+		` projections.apps2.resource_owner,` +
+		` projections.apps2.state,` +
+		` projections.apps2.sequence,` +
 		// api config
-		` projections.apps_api_configs.app_id,` +
-		` projections.apps_api_configs.client_id,` +
-		` projections.apps_api_configs.auth_method,` +
+		` projections.apps2_api_configs.app_id,` +
+		` projections.apps2_api_configs.client_id,` +
+		` projections.apps2_api_configs.auth_method,` +
 		// oidc config
-		` projections.apps_oidc_configs.app_id,` +
-		` projections.apps_oidc_configs.version,` +
-		` projections.apps_oidc_configs.client_id,` +
-		` projections.apps_oidc_configs.redirect_uris,` +
-		` projections.apps_oidc_configs.response_types,` +
-		` projections.apps_oidc_configs.grant_types,` +
-		` projections.apps_oidc_configs.application_type,` +
-		` projections.apps_oidc_configs.auth_method_type,` +
-		` projections.apps_oidc_configs.post_logout_redirect_uris,` +
-		` projections.apps_oidc_configs.is_dev_mode,` +
-		` projections.apps_oidc_configs.access_token_type,` +
-		` projections.apps_oidc_configs.access_token_role_assertion,` +
-		` projections.apps_oidc_configs.id_token_role_assertion,` +
-		` projections.apps_oidc_configs.id_token_userinfo_assertion,` +
-		` projections.apps_oidc_configs.clock_skew,` +
-		` projections.apps_oidc_configs.additional_origins,` +
+		` projections.apps2_oidc_configs.app_id,` +
+		` projections.apps2_oidc_configs.version,` +
+		` projections.apps2_oidc_configs.client_id,` +
+		` projections.apps2_oidc_configs.redirect_uris,` +
+		` projections.apps2_oidc_configs.response_types,` +
+		` projections.apps2_oidc_configs.grant_types,` +
+		` projections.apps2_oidc_configs.application_type,` +
+		` projections.apps2_oidc_configs.auth_method_type,` +
+		` projections.apps2_oidc_configs.post_logout_redirect_uris,` +
+		` projections.apps2_oidc_configs.is_dev_mode,` +
+		` projections.apps2_oidc_configs.access_token_type,` +
+		` projections.apps2_oidc_configs.access_token_role_assertion,` +
+		` projections.apps2_oidc_configs.id_token_role_assertion,` +
+		` projections.apps2_oidc_configs.id_token_userinfo_assertion,` +
+		` projections.apps2_oidc_configs.clock_skew,` +
+		` projections.apps2_oidc_configs.additional_origins,` +
 		` COUNT(*) OVER ()` +
-		` FROM projections.apps` +
-		` LEFT JOIN projections.apps_api_configs ON projections.apps.id = projections.apps_api_configs.app_id` +
-		` LEFT JOIN projections.apps_oidc_configs ON projections.apps.id = projections.apps_oidc_configs.app_id`)
-	expectedAppIDsQuery = regexp.QuoteMeta(`SELECT projections.apps_api_configs.client_id,` +
-		` projections.apps_oidc_configs.client_id` +
-		` FROM projections.apps` +
-		` LEFT JOIN projections.apps_api_configs ON projections.apps.id = projections.apps_api_configs.app_id` +
-		` LEFT JOIN projections.apps_oidc_configs ON projections.apps.id = projections.apps_oidc_configs.app_id`)
-	expectedProjectIDByAppQuery = regexp.QuoteMeta(`SELECT projections.apps.project_id` +
-		` FROM projections.apps` +
-		` LEFT JOIN projections.apps_api_configs ON projections.apps.id = projections.apps_api_configs.app_id` +
-		` LEFT JOIN projections.apps_oidc_configs ON projections.apps.id = projections.apps_oidc_configs.app_id`)
-	expectedProjectByAppQuery = regexp.QuoteMeta(`SELECT projections.projects.id,` +
-		` projections.projects.creation_date,` +
-		` projections.projects.change_date,` +
-		` projections.projects.resource_owner,` +
-		` projections.projects.state,` +
-		` projections.projects.sequence,` +
-		` projections.projects.name,` +
-		` projections.projects.project_role_assertion,` +
-		` projections.projects.project_role_check,` +
-		` projections.projects.has_project_check,` +
-		` projections.projects.private_labeling_setting` +
-		` FROM projections.projects` +
-		` JOIN projections.apps ON projections.projects.id = projections.apps.project_id` +
-		` LEFT JOIN projections.apps_api_configs ON projections.apps.id = projections.apps_api_configs.app_id` +
-		` LEFT JOIN projections.apps_oidc_configs ON projections.apps.id = projections.apps_oidc_configs.app_id`)
+		` FROM projections.apps2` +
+		` LEFT JOIN projections.apps2_api_configs ON projections.apps2.id = projections.apps2_api_configs.app_id` +
+		` LEFT JOIN projections.apps2_oidc_configs ON projections.apps2.id = projections.apps2_oidc_configs.app_id`)
+	expectedAppIDsQuery = regexp.QuoteMeta(`SELECT projections.apps2_api_configs.client_id,` +
+		` projections.apps2_oidc_configs.client_id` +
+		` FROM projections.apps2` +
+		` LEFT JOIN projections.apps2_api_configs ON projections.apps2.id = projections.apps2_api_configs.app_id` +
+		` LEFT JOIN projections.apps2_oidc_configs ON projections.apps2.id = projections.apps2_oidc_configs.app_id`)
+	expectedProjectIDByAppQuery = regexp.QuoteMeta(`SELECT projections.apps2.project_id` +
+		` FROM projections.apps2` +
+		` LEFT JOIN projections.apps2_api_configs ON projections.apps2.id = projections.apps2_api_configs.app_id` +
+		` LEFT JOIN projections.apps2_oidc_configs ON projections.apps2.id = projections.apps2_oidc_configs.app_id`)
+	expectedProjectByAppQuery = regexp.QuoteMeta(`SELECT projections.projects2.id,` +
+		` projections.projects2.creation_date,` +
+		` projections.projects2.change_date,` +
+		` projections.projects2.resource_owner,` +
+		` projections.projects2.state,` +
+		` projections.projects2.sequence,` +
+		` projections.projects2.name,` +
+		` projections.projects2.project_role_assertion,` +
+		` projections.projects2.project_role_check,` +
+		` projections.projects2.has_project_check,` +
+		` projections.projects2.private_labeling_setting` +
+		` FROM projections.projects2` +
+		` JOIN projections.apps2 ON projections.projects2.id = projections.apps2.project_id` +
+		` LEFT JOIN projections.apps2_api_configs ON projections.apps2.id = projections.apps2_api_configs.app_id` +
+		` LEFT JOIN projections.apps2_oidc_configs ON projections.apps2.id = projections.apps2_oidc_configs.app_id`)

-	appCols = []string{
+	appCols = database.StringArray{
 		"id",
 		"name",
 		"project_id",
@@ -312,19 +311,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -346,21 +345,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              true,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  true,
 							AssertIDTokenRole:      true,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 				},
@@ -391,19 +390,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							false,
 							domain.OIDCTokenTypeJWT,
 							false,
 							false,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -425,21 +424,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              false,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  false,
 							AssertIDTokenRole:      false,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 				},
@@ -470,19 +469,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							false,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -504,21 +503,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              true,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  true,
 							AssertIDTokenRole:      false,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 				},
@@ -549,19 +548,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							false,
 							domain.OIDCTokenTypeJWT,
 							false,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -583,21 +582,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              false,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  false,
 							AssertIDTokenRole:      true,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 				},
@@ -628,19 +627,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							false,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -662,21 +661,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              false,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  true,
 							AssertIDTokenRole:      true,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 				},
@@ -707,19 +706,19 @@ func Test_AppsPrepare(t *testing.T) {
 							"oidc-app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 						{
 							"api-app-id",
@@ -772,21 +771,21 @@ func Test_AppsPrepare(t *testing.T) {
 						OIDCConfig: &OIDCApp{
 							Version:                domain.OIDCVersionV1,
 							ClientID:               "oidc-client-id",
-							RedirectURIs:           []string{"https://redirect.to/me"},
-							ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-							GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+							RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+							ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							AppType:                domain.OIDCApplicationTypeUserAgent,
 							AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-							PostLogoutRedirectURIs: []string{"post.logout.ch"},
+							PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 							IsDevMode:              true,
 							AccessTokenType:        domain.OIDCTokenTypeJWT,
 							AssertAccessTokenRole:  true,
 							AssertIDTokenRole:      true,
 							AssertIDTokenUserinfo:  true,
 							ClockSkew:              1 * time.Second,
-							AdditionalOrigins:      []string{"additional.origin"},
+							AdditionalOrigins:      database.StringArray{"additional.origin"},
 							ComplianceProblems:     nil,
-							AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+							AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 						},
 					},
 					{
@@ -993,19 +992,19 @@ func Test_AppPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -1022,21 +1021,21 @@ func Test_AppPrepare(t *testing.T) {
 				OIDCConfig: &OIDCApp{
 					Version:                domain.OIDCVersionV1,
 					ClientID:               "oidc-client-id",
-					RedirectURIs:           []string{"https://redirect.to/me"},
-					ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-					GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+					RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+					ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 					AppType:                domain.OIDCApplicationTypeUserAgent,
 					AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-					PostLogoutRedirectURIs: []string{"post.logout.ch"},
+					PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 					IsDevMode:              true,
 					AccessTokenType:        domain.OIDCTokenTypeJWT,
 					AssertAccessTokenRole:  true,
 					AssertIDTokenRole:      true,
 					AssertIDTokenUserinfo:  true,
 					ClockSkew:              1 * time.Second,
-					AdditionalOrigins:      []string{"additional.origin"},
+					AdditionalOrigins:      database.StringArray{"additional.origin"},
 					ComplianceProblems:     nil,
-					AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+					AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 				},
 			},
 		},
@@ -1065,19 +1064,19 @@ func Test_AppPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							false,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -1094,21 +1093,21 @@ func Test_AppPrepare(t *testing.T) {
 				OIDCConfig: &OIDCApp{
 					Version:                domain.OIDCVersionV1,
 					ClientID:               "oidc-client-id",
-					RedirectURIs:           []string{"https://redirect.to/me"},
-					ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-					GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+					RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+					ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 					AppType:                domain.OIDCApplicationTypeUserAgent,
 					AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-					PostLogoutRedirectURIs: []string{"post.logout.ch"},
+					PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 					IsDevMode:              false,
 					AccessTokenType:        domain.OIDCTokenTypeJWT,
 					AssertAccessTokenRole:  true,
 					AssertIDTokenRole:      true,
 					AssertIDTokenUserinfo:  true,
 					ClockSkew:              1 * time.Second,
-					AdditionalOrigins:      []string{"additional.origin"},
+					AdditionalOrigins:      database.StringArray{"additional.origin"},
 					ComplianceProblems:     nil,
-					AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+					AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 				},
 			},
 		},
@@ -1137,19 +1136,19 @@ func Test_AppPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							false,
 							true,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -1166,21 +1165,21 @@ func Test_AppPrepare(t *testing.T) {
 				OIDCConfig: &OIDCApp{
 					Version:                domain.OIDCVersionV1,
 					ClientID:               "oidc-client-id",
-					RedirectURIs:           []string{"https://redirect.to/me"},
-					ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-					GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+					RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+					ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 					AppType:                domain.OIDCApplicationTypeUserAgent,
 					AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-					PostLogoutRedirectURIs: []string{"post.logout.ch"},
+					PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 					IsDevMode:              true,
 					AccessTokenType:        domain.OIDCTokenTypeJWT,
 					AssertAccessTokenRole:  false,
 					AssertIDTokenRole:      true,
 					AssertIDTokenUserinfo:  true,
 					ClockSkew:              1 * time.Second,
-					AdditionalOrigins:      []string{"additional.origin"},
+					AdditionalOrigins:      database.StringArray{"additional.origin"},
 					ComplianceProblems:     nil,
-					AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+					AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 				},
 			},
 		},
@@ -1209,19 +1208,19 @@ func Test_AppPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							false,
 							true,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -1238,21 +1237,21 @@ func Test_AppPrepare(t *testing.T) {
 				OIDCConfig: &OIDCApp{
 					Version:                domain.OIDCVersionV1,
 					ClientID:               "oidc-client-id",
-					RedirectURIs:           []string{"https://redirect.to/me"},
-					ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-					GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+					RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+					ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 					AppType:                domain.OIDCApplicationTypeUserAgent,
 					AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-					PostLogoutRedirectURIs: []string{"post.logout.ch"},
+					PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 					IsDevMode:              true,
 					AccessTokenType:        domain.OIDCTokenTypeJWT,
 					AssertAccessTokenRole:  true,
 					AssertIDTokenRole:      false,
 					AssertIDTokenUserinfo:  true,
 					ClockSkew:              1 * time.Second,
-					AdditionalOrigins:      []string{"additional.origin"},
+					AdditionalOrigins:      database.StringArray{"additional.origin"},
 					ComplianceProblems:     nil,
-					AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+					AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 				},
 			},
 		},
@@ -1281,19 +1280,19 @@ func Test_AppPrepare(t *testing.T) {
 							"app-id",
 							domain.OIDCVersionV1,
 							"oidc-client-id",
-							pq.StringArray{"https://redirect.to/me"},
-							pq.Int32Array{int32(domain.OIDCResponseTypeIDTokenToken)},
-							pq.Int32Array{int32(domain.OIDCGrantTypeImplicit)},
+							database.StringArray{"https://redirect.to/me"},
+							database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 							domain.OIDCApplicationTypeUserAgent,
 							domain.OIDCAuthMethodTypeNone,
-							pq.StringArray{"post.logout.ch"},
+							database.StringArray{"post.logout.ch"},
 							true,
 							domain.OIDCTokenTypeJWT,
 							true,
 							true,
 							false,
 							1 * time.Second,
-							pq.StringArray{"additional.origin"},
+							database.StringArray{"additional.origin"},
 						},
 					},
 				),
@@ -1310,21 +1309,21 @@ func Test_AppPrepare(t *testing.T) {
 				OIDCConfig: &OIDCApp{
 					Version:                domain.OIDCVersionV1,
 					ClientID:               "oidc-client-id",
-					RedirectURIs:           []string{"https://redirect.to/me"},
-					ResponseTypes:          []domain.OIDCResponseType{domain.OIDCResponseTypeIDTokenToken},
-					GrantTypes:             []domain.OIDCGrantType{domain.OIDCGrantTypeImplicit},
+					RedirectURIs:           database.StringArray{"https://redirect.to/me"},
+					ResponseTypes:          database.EnumArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:             database.EnumArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
 					AppType:                domain.OIDCApplicationTypeUserAgent,
 					AuthMethodType:         domain.OIDCAuthMethodTypeNone,
-					PostLogoutRedirectURIs: []string{"post.logout.ch"},
+					PostLogoutRedirectURIs: database.StringArray{"post.logout.ch"},
 					IsDevMode:              true,
 					AccessTokenType:        domain.OIDCTokenTypeJWT,
 					AssertAccessTokenRole:  true,
 					AssertIDTokenRole:      true,
 					AssertIDTokenUserinfo:  false,
 					ClockSkew:              1 * time.Second,
-					AdditionalOrigins:      []string{"additional.origin"},
+					AdditionalOrigins:      database.StringArray{"additional.origin"},
 					ComplianceProblems:     nil,
-					AllowedOrigins:         []string{"https://redirect.to", "additional.origin"},
+					AllowedOrigins:         database.StringArray{"https://redirect.to", "additional.origin"},
 				},
 			},
 		},
@@ -1382,7 +1381,7 @@ func Test_AppIDsPrepare(t *testing.T) {
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppIDsQuery,
-					[]string{"client_id", "client_id"},
+					database.StringArray{"client_id", "client_id"},
 					[][]driver.Value{
 						{
 							"app-id",
@@ -1399,7 +1398,7 @@ func Test_AppIDsPrepare(t *testing.T) {
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppIDsQuery,
-					[]string{"client_id", "client_id"},
+					database.StringArray{"client_id", "client_id"},
 					[][]driver.Value{
 						{
 							nil,
@@ -1474,7 +1473,7 @@ func Test_ProjectIDByAppPrepare(t *testing.T) {
 			want: want{
 				sqlExpectations: mockQuery(
 					expectedProjectIDByAppQuery,
-					[]string{"project_id"},
+					database.StringArray{"project_id"},
 					[]driver.Value{"project-id"},
 				),
 			},