mirror
/
hydra
mirror of https://github.com/ory/hydra
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

chore: remove unnecessary check constraint 

GitOrigin-RevId: b74f7488fb5191ac8336f1887994b5ebbe0aae89
This commit is contained in:
Patrik 2025-12-08 12:06:24 +01:00 committed by ory-bot
parent d2c58c4980
commit b7b297e52b
19 changed files with 786 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
flow/flow.go
View File

@ -484,6 +484,9 @@ func (f *Flow) BeforeSave(_ *pop.Connection) error {
func (f *Flow) AfterFind(c *pop.Connection) error { func (f *Flow) AfterFind(c *pop.Connection) error {
// TODO Populate the client field in FindInDB and FindByConsentChallengeID in // TODO Populate the client field in FindInDB and FindByConsentChallengeID in
// order to avoid accessing the database twice. // order to avoid accessing the database twice.
if f.ClientID == "" {
return nil
}
f.AfterSave(c) f.AfterSave(c)
f.Client = &client.Client{} f.Client = &client.Client{}
return sqlcon.HandleError(c.Where("id = ? AND nid = ?", f.ClientID, f.NID).First(f.Client)) return sqlcon.HandleError(c.Where("id = ? AND nid = ?", f.ClientID, f.NID).First(f.Client))

41
internal/testhelpers/sql_schemas/cockroach_dump.sql
View File

@ -1,4 +1,4 @@
-- migrations hash: 50fee568f492d7cbf7edabd240b0b534f15a23da153bdfd04f55cd470a41a9650b3561b8a943d6c35e867fb444b35cf21ae3b242e256fbcbb6b4fe59f10775a7 -- migrations hash: 55b905a5cead652db5b4a5e317d60ad18bd9e6de61d4b43edcdb79244947fbf9b106783f10765f2ffa4d7952c745900c2406f522a101dbed17e5785396484e41
CREATE TABLE public.schema_migration ( CREATE TABLE public.schema_migration (
version VARCHAR(48) NOT NULL, version VARCHAR(48) NOT NULL,
@ -128,38 +128,38 @@ CREATE TABLE public.hydra_oauth2_logout_request (
); );
CREATE TABLE public.hydra_oauth2_flow ( CREATE TABLE public.hydra_oauth2_flow (
login_challenge VARCHAR(40) NOT NULL, login_challenge VARCHAR(40) NOT NULL,
login_verifier VARCHAR(40) NOT NULL, login_verifier VARCHAR(40) NULL,
login_csrf VARCHAR(40) NOT NULL, login_csrf VARCHAR(40) NULL,
subject VARCHAR(255) NOT NULL, subject VARCHAR(255) NULL,
request_url STRING NOT NULL, request_url STRING NULL,
login_skip BOOL NOT NULL, login_skip BOOL NULL,
client_id VARCHAR(255) NOT NULL, client_id VARCHAR(255) NULL,
requested_at TIMESTAMP NOT NULL DEFAULT now():::TIMESTAMP, requested_at TIMESTAMP NOT NULL DEFAULT now():::TIMESTAMP,
login_initialized_at TIMESTAMP NULL, login_initialized_at TIMESTAMP NULL,
oidc_context JSONB NOT NULL, oidc_context JSONB NULL,
login_session_id VARCHAR(40) NULL, login_session_id VARCHAR(40) NULL,
state INT8 NOT NULL, state INT8 NULL,
login_remember BOOL NOT NULL, login_remember BOOL NULL,
login_remember_for INT8 NOT NULL, login_remember_for INT8 NULL,
login_error STRING NULL, login_error STRING NULL,
acr STRING NOT NULL, acr STRING NULL,
login_authenticated_at TIMESTAMP NULL, login_authenticated_at TIMESTAMP NULL,
login_was_used BOOL NOT NULL, login_was_used BOOL NULL,
forced_subject_identifier VARCHAR(255) NULL, forced_subject_identifier VARCHAR(255) NULL,
context JSONB NULL, context JSONB NULL,
consent_challenge_id VARCHAR(40) NULL, consent_challenge_id VARCHAR(40) NULL,
consent_skip BOOL NOT NULL, consent_skip BOOL NULL,
consent_verifier VARCHAR(40) NULL, consent_verifier VARCHAR(40) NULL,
consent_csrf VARCHAR(40) NULL, consent_csrf VARCHAR(40) NULL,
consent_remember BOOL NOT NULL, consent_remember BOOL NULL,
consent_remember_for INT8 NULL, consent_remember_for INT8 NULL,
consent_handled_at TIMESTAMP NULL, consent_handled_at TIMESTAMP NULL,
consent_error STRING NULL, consent_error STRING NULL,
session_access_token JSONB NOT NULL, session_access_token JSONB NULL,
session_id_token JSONB NOT NULL, session_id_token JSONB NULL,
consent_was_used BOOL NOT NULL, consent_was_used BOOL NULL,
nid UUID NOT NULL, nid UUID NOT NULL,
requested_scope JSONB NOT NULL, requested_scope JSONB NULL,
requested_at_audience JSONB NULL, requested_at_audience JSONB NULL,
amr JSONB NULL, amr JSONB NULL,
granted_scope JSONB NULL, granted_scope JSONB NULL,
@ -181,8 +181,7 @@ CREATE TABLE public.hydra_oauth2_flow (
INDEX hydra_oauth2_flow_login_session_id_idx (login_session_id ASC, nid ASC), INDEX hydra_oauth2_flow_login_session_id_idx (login_session_id ASC, nid ASC),
INDEX hydra_oauth2_flow_sub_idx (subject ASC, nid ASC), INDEX hydra_oauth2_flow_sub_idx (subject ASC, nid ASC),
INDEX hydra_oauth2_flow_previous_consents_idx (subject ASC, client_id ASC, nid ASC, consent_skip ASC, consent_error ASC, consent_remember ASC), INDEX hydra_oauth2_flow_previous_consents_idx (subject ASC, client_id ASC, nid ASC, consent_skip ASC, consent_error ASC, consent_remember ASC),
UNIQUE INDEX hydra_oauth2_flow_device_challenge_idx (device_challenge_id ASC), UNIQUE INDEX hydra_oauth2_flow_device_challenge_idx (device_challenge_id ASC)
CONSTRAINT check_state_state_state_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_granted_scope_consent_remember_consent_remember_for_consent_error_session_access_token_session_id_token_consent_was_used CHECK ((((((((state = 128:::INT8) OR (state = 129:::INT8)) OR (state = 1:::INT8)) OR ((state = 2:::INT8) AND (((((((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL)) AND (login_error IS NOT NULL)) AND (acr IS NOT NULL)) AND (login_was_used IS NOT NULL)) AND (context IS NOT NULL)) AND (amr IS NOT NULL)))) OR ((state = 3:::INT8) AND (((((((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL)) AND (login_error IS NOT NULL)) AND (acr IS NOT NULL)) AND (login_was_used IS NOT NULL)) AND (context IS NOT NULL)) AND (amr IS NOT NULL)))) OR ((state = 4:::INT8) AND (((((((((((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL)) AND (login_error IS NOT NULL)) AND (acr IS NOT NULL)) AND (login_was_used IS NOT NULL)) AND (context IS NOT NULL)) AND (amr IS NOT NULL)) AND (consent_challenge_id IS NOT NULL)) AND (consent_verifier IS NOT NULL)) AND (consent_skip IS NOT NULL)) AND (consent_csrf IS NOT NULL)))) OR ((state = 5:::INT8) AND (((((((((((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL)) AND (login_error IS NOT NULL)) AND (acr IS NOT NULL)) AND (login_was_used IS NOT NULL)) AND (context IS NOT NULL)) AND (amr IS NOT NULL)) AND (consent_challenge_id IS NOT NULL)) AND (consent_verifier IS NOT NULL)) AND (consent_skip IS NOT NULL)) AND (consent_csrf IS NOT NULL)))) OR ((state = 6:::INT8) AND ((((((((((((((((((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL)) AND (login_error IS NOT NULL)) AND (acr IS NOT NULL)) AND (login_was_used IS NOT NULL)) AND (context IS NOT NULL)) AND (amr IS NOT NULL)) AND (consent_challenge_id IS NOT NULL)) AND (consent_verifier IS NOT NULL)) AND (consent_skip IS NOT NULL)) AND (consent_csrf IS NOT NULL)) AND (granted_scope IS NOT NULL)) AND (consent_remember IS NOT NULL)) AND (consent_remember_for IS NOT NULL)) AND (consent_error IS NOT NULL)) AND (session_access_token IS NOT NULL)) AND (session_id_token IS NOT NULL)) AND (consent_was_used IS NOT NULL))))
); );
CREATE TABLE public.hydra_oauth2_access ( CREATE TABLE public.hydra_oauth2_access (
signature VARCHAR(255) NOT NULL, signature VARCHAR(255) NOT NULL,

51
internal/testhelpers/sql_schemas/mysql_dump.sql
View File

@ -1,4 +1,4 @@
-- migrations hash: 50fee568f492d7cbf7edabd240b0b534f15a23da153bdfd04f55cd470a41a9650b3561b8a943d6c35e867fb444b35cf21ae3b242e256fbcbb6b4fe59f10775a7 -- migrations hash: 55b905a5cead652db5b4a5e317d60ad18bd9e6de61d4b43edcdb79244947fbf9b106783f10765f2ffa4d7952c745900c2406f522a101dbed17e5785396484e41
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
@ -217,42 +217,42 @@ DROP TABLE IF EXISTS `hydra_oauth2_flow`;
/*!50503 SET character_set_client = utf8mb4 */; /*!50503 SET character_set_client = utf8mb4 */;
CREATE TABLE `hydra_oauth2_flow` ( CREATE TABLE `hydra_oauth2_flow` (
`login_challenge` varchar(40) NOT NULL, `login_challenge` varchar(40) NOT NULL,
`login_verifier` varchar(40) NOT NULL, `login_verifier` varchar(40) DEFAULT NULL,
`login_csrf` varchar(40) NOT NULL, `login_csrf` varchar(40) DEFAULT NULL,
`subject` varchar(255) NOT NULL, `subject` varchar(255) DEFAULT NULL,
`request_url` text NOT NULL, `request_url` text,
`login_skip` tinyint(1) NOT NULL, `login_skip` tinyint(1) DEFAULT NULL,
`client_id` varchar(255) NOT NULL, `client_id` varchar(255) DEFAULT NULL,
`requested_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, `requested_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`login_initialized_at` timestamp NULL DEFAULT NULL, `login_initialized_at` timestamp NULL DEFAULT NULL,
`oidc_context` json NOT NULL, `oidc_context` json DEFAULT NULL,
`login_session_id` varchar(40), `login_session_id` varchar(40) DEFAULT NULL,
`state` smallint NOT NULL, `state` smallint DEFAULT NULL,
`login_remember` tinyint(1) NOT NULL, `login_remember` tinyint(1) DEFAULT NULL,
`login_remember_for` int NOT NULL, `login_remember_for` int DEFAULT NULL,
`login_error` text, `login_error` text,
`acr` text NOT NULL, `acr` text,
`login_authenticated_at` timestamp NULL DEFAULT NULL, `login_authenticated_at` timestamp NULL DEFAULT NULL,
`login_was_used` tinyint(1) NOT NULL, `login_was_used` tinyint(1) DEFAULT NULL,
`forced_subject_identifier` varchar(255) DEFAULT NULL, `forced_subject_identifier` varchar(255) DEFAULT NULL,
`context` json NOT NULL, `context` json DEFAULT NULL,
`consent_challenge_id` varchar(40) DEFAULT NULL, `consent_challenge_id` varchar(40) DEFAULT NULL,
`consent_skip` tinyint(1) NOT NULL, `consent_skip` tinyint(1) DEFAULT NULL,
`consent_verifier` varchar(40) DEFAULT NULL, `consent_verifier` varchar(40) DEFAULT NULL,
`consent_csrf` varchar(40) DEFAULT NULL, `consent_csrf` varchar(40) DEFAULT NULL,
`consent_remember` tinyint(1) NOT NULL, `consent_remember` tinyint(1) DEFAULT NULL,
`consent_remember_for` int DEFAULT NULL, `consent_remember_for` int DEFAULT NULL,
`consent_handled_at` timestamp NULL DEFAULT NULL, `consent_handled_at` timestamp NULL DEFAULT NULL,
`consent_error` text, `consent_error` text,
`session_access_token` json NOT NULL, `session_access_token` json DEFAULT NULL,
`session_id_token` json NOT NULL, `session_id_token` json DEFAULT NULL,
`consent_was_used` tinyint(1), `consent_was_used` tinyint(1) DEFAULT NULL,
`nid` char(36) NOT NULL, `nid` char(36) NOT NULL,
`requested_scope` json NOT NULL, `requested_scope` json DEFAULT NULL,
`requested_at_audience` json, `requested_at_audience` json DEFAULT NULL,
`amr` json, `amr` json DEFAULT NULL,
`granted_scope` json DEFAULT NULL, `granted_scope` json DEFAULT NULL,
`granted_at_audience` json, `granted_at_audience` json DEFAULT NULL,
`login_extend_session_lifespan` tinyint(1) DEFAULT NULL, `login_extend_session_lifespan` tinyint(1) DEFAULT NULL,
`identity_provider_session_id` varchar(40) DEFAULT NULL, `identity_provider_session_id` varchar(40) DEFAULT NULL,
`device_challenge_id` varchar(255) DEFAULT NULL, `device_challenge_id` varchar(255) DEFAULT NULL,
@ -273,8 +273,7 @@ CREATE TABLE `hydra_oauth2_flow` (
KEY `hydra_oauth2_flow_previous_consents_idx` (`subject`,`client_id`,`nid`,`consent_skip`,`consent_error`(2),`consent_remember`), KEY `hydra_oauth2_flow_previous_consents_idx` (`subject`,`client_id`,`nid`,`consent_skip`,`consent_error`(2),`consent_remember`),
CONSTRAINT `hydra_oauth2_flow_client_id_fk` FOREIGN KEY (`client_id`, `nid`) REFERENCES `hydra_client` (`id`, `nid`) ON DELETE CASCADE, CONSTRAINT `hydra_oauth2_flow_client_id_fk` FOREIGN KEY (`client_id`, `nid`) REFERENCES `hydra_client` (`id`, `nid`) ON DELETE CASCADE,
CONSTRAINT `hydra_oauth2_flow_login_session_id_fk` FOREIGN KEY (`login_session_id`) REFERENCES `hydra_oauth2_authentication_session` (`id`) ON DELETE SET NULL, CONSTRAINT `hydra_oauth2_flow_login_session_id_fk` FOREIGN KEY (`login_session_id`) REFERENCES `hydra_oauth2_authentication_session` (`id`) ON DELETE SET NULL,
CONSTRAINT `hydra_oauth2_flow_nid_fk_idx` FOREIGN KEY (`nid`) REFERENCES `networks` (`id`) ON DELETE CASCADE ON UPDATE RESTRICT, CONSTRAINT `hydra_oauth2_flow_nid_fk_idx` FOREIGN KEY (`nid`) REFERENCES `networks` (`id`) ON DELETE CASCADE ON UPDATE RESTRICT
CONSTRAINT `hydra_oauth2_flow_chk` CHECK (((`state` = 128) or (`state` = 129) or (`state` = 1) or ((`state` = 2) and (`login_remember` is not null) and (`login_remember_for` is not null) and (`login_error` is not null) and (`acr` is not null) and (`login_was_used` is not null) and (`context` is not null) and (`amr` is not null)) or ((`state` = 3) and (`login_remember` is not null) and (`login_remember_for` is not null) and (`login_error` is not null) and (`acr` is not null) and (`login_was_used` is not null) and (`context` is not null) and (`amr` is not null)) or ((`state` = 4) and (`login_remember` is not null) and (`login_remember_for` is not null) and (`login_error` is not null) and (`acr` is not null) and (`login_was_used` is not null) and (`context` is not null) and (`amr` is not null) and (`consent_challenge_id` is not null) and (`consent_verifier` is not null) and (`consent_skip` is not null) and (`consent_csrf` is not null)) or ((`state` = 5) and (`login_remember` is not null) and (`login_remember_for` is not null) and (`login_error` is not null) and (`acr` is not null) and (`login_was_used` is not null) and (`context` is not null) and (`amr` is not null) and (`consent_challenge_id` is not null) and (`consent_verifier` is not null) and (`consent_skip` is not null) and (`consent_csrf` is not null)) or ((`state` = 6) and (`login_remember` is not null) and (`login_remember_for` is not null) and (`login_error` is not null) and (`acr` is not null) and (`login_was_used` is not null) and (`context` is not null) and (`amr` is not null) and (`consent_challenge_id` is not null) and (`consent_verifier` is not null) and (`consent_skip` is not null) and (`consent_csrf` is not null) and (`granted_scope` is not null) and (`consent_remember` is not null) and (`consent_remember_for` is not null) and (`consent_error` is not null) and (`session_access_token` is not null) and (`session_id_token` is not null) and (`consent_was_used` is not null))))
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci; ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
/*!40101 SET character_set_client = @saved_cs_client */; /*!40101 SET character_set_client = @saved_cs_client */;

43
internal/testhelpers/sql_schemas/postgres_dump.sql
View File

@ -1,4 +1,4 @@
-- migrations hash: 50fee568f492d7cbf7edabd240b0b534f15a23da153bdfd04f55cd470a41a9650b3561b8a943d6c35e867fb444b35cf21ae3b242e256fbcbb6b4fe59f10775a7 -- migrations hash: 55b905a5cead652db5b4a5e317d60ad18bd9e6de61d4b43edcdb79244947fbf9b106783f10765f2ffa4d7952c745900c2406f522a101dbed17e5785396484e41
@ -194,38 +194,38 @@ ALTER TABLE public.hydra_oauth2_device_auth_codes OWNER TO postgres;
CREATE TABLE public.hydra_oauth2_flow ( CREATE TABLE public.hydra_oauth2_flow (
login_challenge character varying(40) NOT NULL, login_challenge character varying(40) NOT NULL,
login_verifier character varying(40) NOT NULL, login_verifier character varying(40),
login_csrf character varying(40) NOT NULL, login_csrf character varying(40),
subject character varying(255) NOT NULL, subject character varying(255),
request_url text NOT NULL, request_url text,
login_skip boolean NOT NULL, login_skip boolean,
client_id character varying(255) NOT NULL, client_id character varying(255),
requested_at timestamp without time zone DEFAULT now() NOT NULL, requested_at timestamp without time zone DEFAULT now() NOT NULL,
login_initialized_at timestamp without time zone, login_initialized_at timestamp without time zone,
oidc_context jsonb NOT NULL, oidc_context jsonb,
login_session_id character varying(40), login_session_id character varying(40),
state integer NOT NULL, state integer,
login_remember boolean NOT NULL, login_remember boolean,
login_remember_for integer NOT NULL, login_remember_for integer,
login_error text, login_error text,
acr text NOT NULL, acr text,
login_authenticated_at timestamp without time zone, login_authenticated_at timestamp without time zone,
login_was_used boolean NOT NULL, login_was_used boolean,
forced_subject_identifier character varying(255), forced_subject_identifier character varying(255),
context jsonb NOT NULL, context jsonb,
consent_challenge_id character varying(40), consent_challenge_id character varying(40),
consent_skip boolean NOT NULL, consent_skip boolean,
consent_verifier character varying(40), consent_verifier character varying(40),
consent_csrf character varying(40), consent_csrf character varying(40),
consent_remember boolean NOT NULL, consent_remember boolean,
consent_remember_for integer, consent_remember_for integer,
consent_handled_at timestamp without time zone, consent_handled_at timestamp without time zone,
consent_error text, consent_error text,
session_access_token jsonb NOT NULL, session_access_token jsonb,
session_id_token jsonb NOT NULL, session_id_token jsonb,
consent_was_used boolean NOT NULL, consent_was_used boolean,
nid uuid NOT NULL, nid uuid NOT NULL,
requested_scope jsonb NOT NULL, requested_scope jsonb,
requested_at_audience jsonb, requested_at_audience jsonb,
amr jsonb, amr jsonb,
granted_scope jsonb, granted_scope jsonb,
@ -243,8 +243,7 @@ CREATE TABLE public.hydra_oauth2_flow (
CASE CASE
WHEN (consent_remember_for > 0) THEN (requested_at + ((consent_remember_for)::double precision * '00:00:01'::interval)) WHEN (consent_remember_for > 0) THEN (requested_at + ((consent_remember_for)::double precision * '00:00:01'::interval))
ELSE NULL::timestamp without time zone ELSE NULL::timestamp without time zone
END) STORED, END) STORED
CONSTRAINT hydra_oauth2_flow_check CHECK (((state = 128) OR (state = 129) OR (state = 1) OR ((state = 2) AND ((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND (login_error IS NOT NULL) AND (acr IS NOT NULL) AND (login_was_used IS NOT NULL) AND (context IS NOT NULL) AND (amr IS NOT NULL))) OR ((state = 3) AND ((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND (login_error IS NOT NULL) AND (acr IS NOT NULL) AND (login_was_used IS NOT NULL) AND (context IS NOT NULL) AND (amr IS NOT NULL))) OR ((state = 4) AND ((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND (login_error IS NOT NULL) AND (acr IS NOT NULL) AND (login_was_used IS NOT NULL) AND (context IS NOT NULL) AND (amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND (consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND (consent_csrf IS NOT NULL))) OR ((state = 5) AND ((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND (login_error IS NOT NULL) AND (acr IS NOT NULL) AND (login_was_used IS NOT NULL) AND (context IS NOT NULL) AND (amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND (consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND (consent_csrf IS NOT NULL))) OR ((state = 6) AND ((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND (login_error IS NOT NULL) AND (acr IS NOT NULL) AND (login_was_used IS NOT NULL) AND (context IS NOT NULL) AND (amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND (consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND (consent_csrf IS NOT NULL) AND (granted_scope IS NOT NULL) AND (consent_remember IS NOT NULL) AND (consent_remember_for IS NOT NULL) AND (consent_error IS NOT NULL) AND (session_access_token IS NOT NULL) AND (session_id_token IS NOT NULL) AND (consent_was_used IS NOT NULL)))))
); );
ALTER TABLE public.hydra_oauth2_flow OWNER TO postgres; ALTER TABLE public.hydra_oauth2_flow OWNER TO postgres;

167
internal/testhelpers/sql_schemas/sqlite3_dump.sql
View File

@ -1,4 +1,4 @@
-- migrations hash: 50fee568f492d7cbf7edabd240b0b534f15a23da153bdfd04f55cd470a41a9650b3561b8a943d6c35e867fb444b35cf21ae3b242e256fbcbb6b4fe59f10775a7 -- migrations hash: 55b905a5cead652db5b4a5e317d60ad18bd9e6de61d4b43edcdb79244947fbf9b106783f10765f2ffa4d7952c745900c2406f522a101dbed17e5785396484e41
CREATE TABLE "hydra_client" CREATE TABLE "hydra_client"
( (
@ -148,130 +148,61 @@ CREATE INDEX hydra_oauth2_device_auth_codes_client_id_idx ON hydra_oauth2_device
CREATE INDEX hydra_oauth2_device_auth_codes_request_id_idx ON hydra_oauth2_device_auth_codes (request_id, nid); CREATE INDEX hydra_oauth2_device_auth_codes_request_id_idx ON hydra_oauth2_device_auth_codes (request_id, nid);
CREATE UNIQUE INDEX hydra_oauth2_device_auth_codes_user_code_signature_idx ON hydra_oauth2_device_auth_codes (nid, user_code_signature); CREATE UNIQUE INDEX hydra_oauth2_device_auth_codes_user_code_signature_idx ON hydra_oauth2_device_auth_codes (nid, user_code_signature);
CREATE TABLE "hydra_oauth2_flow" ( CREATE TABLE "hydra_oauth2_flow" (
login_challenge VARCHAR(40) NOT NULL PRIMARY KEY, login_challenge VARCHAR(40) NOT NULL PRIMARY KEY,
nid CHAR(36) NOT NULL, nid CHAR(36) NOT NULL,
requested_scope TEXT NOT NULL, requested_scope TEXT NULL,
login_verifier VARCHAR(40) NOT NULL, login_verifier VARCHAR(40) NULL,
login_csrf VARCHAR(40) NOT NULL, login_csrf VARCHAR(40) NULL,
subject VARCHAR(255) NOT NULL, subject VARCHAR(255) NULL,
request_url TEXT NOT NULL, request_url TEXT NULL,
login_skip INTEGER NOT NULL, login_skip INTEGER NULL,
client_id VARCHAR(255) NOT NULL, client_id VARCHAR(255) NULL,
requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
oidc_context TEXT NOT NULL, oidc_context TEXT NULL,
login_session_id VARCHAR(40) NULL REFERENCES hydra_oauth2_authentication_session (id) ON DELETE SET NULL, login_session_id VARCHAR(40) NULL REFERENCES hydra_oauth2_authentication_session (id) ON DELETE SET NULL,
requested_at_audience TEXT NULL, requested_at_audience TEXT NULL,
login_initialized_at TIMESTAMP NULL, login_initialized_at TIMESTAMP NULL,
state INTEGER NOT NULL, state INTEGER NULL,
login_remember INTEGER NULL, login_remember INTEGER NULL,
login_remember_for INTEGER NULL, login_remember_for INTEGER NULL,
login_error TEXT NULL, login_error TEXT NULL,
acr TEXT NULL, acr TEXT NULL,
login_authenticated_at TIMESTAMP NULL, login_authenticated_at TIMESTAMP NULL,
login_was_used INTEGER NULL, login_was_used INTEGER NULL,
forced_subject_identifier VARCHAR(255) NULL, forced_subject_identifier VARCHAR(255) NULL,
context TEXT NULL, context TEXT NULL,
amr TEXT NULL, amr TEXT NULL,
consent_challenge_id VARCHAR(40) NULL, consent_challenge_id VARCHAR(40) NULL,
consent_skip INTEGER NULL, consent_skip INTEGER NULL,
consent_verifier VARCHAR(40) NULL, consent_verifier VARCHAR(40) NULL,
consent_csrf VARCHAR(40) NULL, consent_csrf VARCHAR(40) NULL,
granted_scope TEXT NULL, granted_scope TEXT NULL,
granted_at_audience TEXT NULL, granted_at_audience TEXT NULL,
consent_remember INTEGER NULL, consent_remember INTEGER NULL,
consent_remember_for INTEGER NULL, consent_remember_for INTEGER NULL,
consent_handled_at TIMESTAMP NULL, consent_handled_at TIMESTAMP NULL,
consent_was_used INTEGER NOT NULL, consent_was_used INTEGER NULL,
consent_error TEXT NULL, consent_error TEXT NULL,
session_id_token TEXT NULL, session_id_token TEXT NULL,
session_access_token TEXT NULL, session_access_token TEXT NULL,
login_extend_session_lifespan BOOLEAN NULL, login_extend_session_lifespan BOOLEAN NULL,
identity_provider_session_id VARCHAR(40) NULL, identity_provider_session_id VARCHAR(40) NULL,
device_challenge_id VARCHAR(255) NULL, device_challenge_id VARCHAR(255) NULL,
device_code_request_id VARCHAR(255) NULL, device_code_request_id VARCHAR(255) NULL,
device_verifier VARCHAR(40) NULL, device_verifier VARCHAR(40) NULL,
device_csrf VARCHAR(40) NULL, device_csrf VARCHAR(40) NULL,
device_was_used BOOLEAN NULL, device_was_used BOOLEAN NULL,
device_handled_at TIMESTAMP NULL, device_handled_at TIMESTAMP NULL,
device_error VARCHAR(2048) NULL, device_error VARCHAR(2048) NULL,
expires_at TIMESTAMP GENERATED ALWAYS AS (if(consent_remember_for > 0, expires_at TIMESTAMP GENERATED ALWAYS AS (IF(consent_remember_for > 0,
datetime(requested_at, '+' || consent_remember_for || ' seconds'), datetime(requested_at, '+' || consent_remember_for || ' seconds'),
NULL)) VIRTUAL, NULL)) VIRTUAL,
FOREIGN KEY (client_id, nid) REFERENCES hydra_client (id, nid) ON DELETE CASCADE, FOREIGN KEY (client_id, nid) REFERENCES hydra_client (id, nid) ON DELETE CASCADE
CHECK (
state = 128 OR
state = 129 OR
state = 1 OR
(state = 2 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL
)) OR
(state = 3 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL
)) OR
(state = 4 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL
)) OR
(state = 5 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL
)) OR
(state = 6 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL AND
granted_scope IS NOT NULL AND
consent_remember IS NOT NULL AND
consent_remember_for IS NOT NULL AND
consent_error IS NOT NULL AND
session_access_token IS NOT NULL AND
session_id_token IS NOT NULL AND
consent_was_used IS NOT NULL
))
)
); );
CREATE INDEX hydra_oauth2_flow_client_id_idx ON hydra_oauth2_flow (client_id, nid); CREATE INDEX hydra_oauth2_flow_client_id_idx ON hydra_oauth2_flow (client_id, nid);
CREATE UNIQUE INDEX hydra_oauth2_flow_consent_challenge_id_idx ON hydra_oauth2_flow (consent_challenge_id); CREATE UNIQUE INDEX hydra_oauth2_flow_consent_challenge_id_idx ON hydra_oauth2_flow (consent_challenge_id);

14
persistence/sql/migratest/fixtures/hydra_oauth2_flow/challenge-0020.json Normal file
View File

@ -0,0 +1,14 @@
{
"i": "challenge-0020",
"n": "24704dcb-0ab9-4bfa-a84c-405932ae53fe",
"oc": null,
"ia": "2025-12-02T11:05:31Z",
"ct": null,
"la": null,
"dh": null,
"cf": null,
"ch": null,
"cx": null,
"st": null,
"sa": null
}

22
persistence/sql/migratest/migration_test.go
View File

@ -48,7 +48,7 @@ func snapshotFor(paths ...string) *cupaloy.Config {
func compareWithFixture(t *testing.T, actual interface{}, prefix string, id string) { func compareWithFixture(t *testing.T, actual interface{}, prefix string, id string) {
s := snapshotFor("fixtures", prefix) s := snapshotFor("fixtures", prefix)
actualJSON, err := json.MarshalIndent(actual, "", " ") actualJSON, err := json.MarshalIndent(actual, "", " ")
require.NoError(t, err) require.NoErrorf(t, err, "%+v", actual)
assert.NoError(t, s.SnapshotWithName(id, actualJSON)) assert.NoError(t, s.SnapshotWithName(id, actualJSON))
} }
@ -140,16 +140,26 @@ func TestMigrations(t *testing.T) {
} }
}) })
flows := []flow.Flow{}
require.NoError(t, c.All(&flows))
require.Len(t, flows, 19)
t.Run("case=hydra_oauth2_flow", func(t *testing.T) { t.Run("case=hydra_oauth2_flow", func(t *testing.T) {
for _, f := range flows { // we first load the "full" flows
fullFlows := []flow.Flow{}
require.NoError(t, c.Where("client_id IS NOT NULL").All(&fullFlows))
require.Len(t, fullFlows, 19)
for _, f := range fullFlows {
assert.NotNil(t, f.Client) assert.NotNil(t, f.Client)
f.Client = nil // clients are loaded eagerly, nil them for snapshot comparison f.Client = nil // clients are loaded eagerly, nil them for snapshot comparison
compareWithFixture(t, f, "hydra_oauth2_flow", f.ID) compareWithFixture(t, f, "hydra_oauth2_flow", f.ID)
} }
// then the "reduced" flows
reducedFlows := []flow.Flow{}
require.NoError(t, c.Select("login_challenge", "nid", "requested_at").Where("client_id IS NULL").All(&reducedFlows))
require.Len(t, reducedFlows, 1)
for _, f := range reducedFlows {
compareWithFixture(t, f, "hydra_oauth2_flow", f.ID)
}
}) })
t.Run("case=hydra_oauth2_authentication_session", func(t *testing.T) { t.Run("case=hydra_oauth2_authentication_session", func(t *testing.T) {

5
persistence/sql/migratest/testdata/20251202130532_testdata.sql vendored Normal file
View File

@ -0,0 +1,5 @@
INSERT
INTO hydra_oauth2_flow (login_challenge,
nid,
requested_at)
VALUES ('challenge-0020', '24704dcb-0ab9-4bfa-a84c-405932ae53fe', '2025-12-02 11:05:31');

70
persistence/sql/migrations/20251202130532000000_flow_drop_check.cockroach.down.sql Normal file
View File

@ -0,0 +1,70 @@
ALTER TABLE hydra_oauth2_flow
ADD CONSTRAINT check_state_state_state_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_granted_scope_consent_remember_consent_remember_for_consent_error_session_access_token_session_id_token_consent_was_used
CHECK (((state = 128) OR (state = 129) OR (state = 1) OR ((state = 2) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL))) OR
((state = 3) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL))) OR ((state = 4) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR
((state = 5) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR ((state = 6) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL) AND
(granted_scope IS NOT NULL) AND
(consent_remember IS NOT NULL) AND
(consent_remember_for IS NOT NULL) AND
(consent_error IS NOT NULL) AND
(session_access_token IS NOT NULL) AND
(session_id_token IS NOT NULL) AND
(consent_was_used IS NOT NULL))))),
ALTER COLUMN requested_scope SET NOT NULL,
ALTER COLUMN login_csrf SET NOT NULL,
ALTER COLUMN subject SET NOT NULL,
ALTER COLUMN request_url SET NOT NULL,
ALTER COLUMN login_skip SET NOT NULL,
ALTER COLUMN client_id SET NOT NULL,
ALTER COLUMN oidc_context SET NOT NULL,
ALTER COLUMN context SET NOT NULL,
ALTER COLUMN state SET NOT NULL,
ALTER COLUMN login_verifier SET NOT NULL,
ALTER COLUMN login_remember SET NOT NULL,
ALTER COLUMN login_remember_for SET NOT NULL,
ALTER COLUMN acr SET NOT NULL,
ALTER COLUMN login_was_used SET NOT NULL,
ALTER COLUMN consent_skip SET NOT NULL,
ALTER COLUMN consent_remember SET NOT NULL,
ALTER COLUMN session_access_token SET NOT NULL,
ALTER COLUMN session_id_token SET NOT NULL,
ALTER COLUMN consent_was_used SET NOT NULL;

21
persistence/sql/migrations/20251202130532000000_flow_drop_check.cockroach.up.sql Normal file
View File

@ -0,0 +1,21 @@
ALTER TABLE hydra_oauth2_flow
DROP CONSTRAINT check_state_state_state_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_state_login_remember_login_remember_for_login_error_acr_login_was_used_context_amr_consent_challenge_id_consent_verifier_consent_skip_consent_csrf_granted_scope_consent_remember_consent_remember_for_consent_error_session_access_token_session_id_token_consent_was_used,
ALTER COLUMN requested_scope DROP NOT NULL,
ALTER COLUMN login_csrf DROP NOT NULL,
ALTER COLUMN subject DROP NOT NULL,
ALTER COLUMN request_url DROP NOT NULL,
ALTER COLUMN login_skip DROP NOT NULL,
ALTER COLUMN client_id DROP NOT NULL,
ALTER COLUMN oidc_context DROP NOT NULL,
ALTER COLUMN context DROP NOT NULL,
ALTER COLUMN state DROP NOT NULL,
ALTER COLUMN login_verifier DROP NOT NULL,
ALTER COLUMN login_remember DROP NOT NULL,
ALTER COLUMN login_remember_for DROP NOT NULL,
ALTER COLUMN acr DROP NOT NULL,
ALTER COLUMN login_was_used DROP NOT NULL,
ALTER COLUMN consent_skip DROP NOT NULL,
ALTER COLUMN consent_remember DROP NOT NULL,
ALTER COLUMN session_access_token DROP NOT NULL,
ALTER COLUMN session_id_token DROP NOT NULL,
ALTER COLUMN consent_was_used DROP NOT NULL;

73
persistence/sql/migrations/20251202130532000000_flow_drop_check.mysql.down.sql Normal file
View File

@ -0,0 +1,73 @@
-- this is not ideal, but required because of MySQL limitations regarding changing columns that are used in foreign key constraints
SET FOREIGN_KEY_CHECKS = 0;
ALTER TABLE hydra_oauth2_flow
ADD CONSTRAINT hydra_oauth2_flow_chk CHECK (((state = 128) OR (state = 129) OR (state = 1) OR ((state = 2) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL))) OR
((state = 3) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL))) OR ((state = 4) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR
((state = 5) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR ((state = 6) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL) AND
(granted_scope IS NOT NULL) AND
(consent_remember IS NOT NULL) AND
(consent_remember_for IS NOT NULL) AND
(consent_error IS NOT NULL) AND
(session_access_token IS NOT NULL) AND
(session_id_token IS NOT NULL) AND
(consent_was_used IS NOT NULL))))),
MODIFY COLUMN requested_scope json NOT NULL,
MODIFY COLUMN login_csrf VARCHAR (40) NOT NULL,
MODIFY COLUMN subject VARCHAR (255) NOT NULL,
MODIFY COLUMN request_url TEXT NOT NULL,
MODIFY COLUMN login_skip tinyint(1) NOT NULL,
MODIFY COLUMN client_id varchar(255) NOT NULL,
MODIFY COLUMN oidc_context json NOT NULL,
MODIFY COLUMN context json NOT NULL,
MODIFY COLUMN state SMALLINT NOT NULL,
MODIFY COLUMN acr TEXT NOT NULL,
MODIFY COLUMN consent_skip tinyint(1) NOT NULL,
MODIFY COLUMN consent_remember tinyint(1) NOT NULL,
MODIFY COLUMN login_remember tinyint(1) NOT NULL,
MODIFY COLUMN consent_was_used tinyint(1) NOT NULL,
MODIFY COLUMN login_was_used tinyint(1) NOT NULL,
MODIFY COLUMN session_id_token json NOT NULL,
MODIFY COLUMN session_access_token json NOT NULL;
SET FOREIGN_KEY_CHECKS = 1;

29
persistence/sql/migrations/20251202130532000000_flow_drop_check.mysql.up.sql Normal file
View File

@ -0,0 +1,29 @@
ALTER TABLE hydra_oauth2_flow
DROP CONSTRAINT hydra_oauth2_flow_chk,
MODIFY COLUMN requested_scope json NULL,
MODIFY COLUMN login_csrf varchar(40) NULL,
MODIFY COLUMN subject varchar(255) NULL,
MODIFY COLUMN request_url text DEFAULT NULL,
MODIFY COLUMN login_skip tinyint(1) NULL,
MODIFY COLUMN client_id varchar(255) NULL,
MODIFY COLUMN oidc_context json NULL,
MODIFY COLUMN context json NULL,
MODIFY COLUMN state smallint NULL,
MODIFY COLUMN login_verifier varchar(40) NULL,
MODIFY COLUMN login_remember tinyint(1) NULL,
MODIFY COLUMN login_remember_for int NULL,
MODIFY COLUMN acr text DEFAULT NULL,
MODIFY COLUMN login_was_used tinyint(1) NULL,
MODIFY COLUMN consent_skip tinyint(1) NULL,
MODIFY COLUMN consent_remember tinyint(1) NULL,
MODIFY COLUMN session_access_token json NULL,
MODIFY COLUMN session_id_token json NULL,
MODIFY COLUMN consent_was_used tinyint(1) NULL,
-- Set default values to NULL for compatibility with strict SQL modes
MODIFY COLUMN login_session_id varchar(40) DEFAULT NULL,
MODIFY COLUMN login_error text DEFAULT NULL,
MODIFY COLUMN consent_error text DEFAULT NULL,
MODIFY COLUMN requested_at_audience json DEFAULT NULL,
MODIFY COLUMN amr json DEFAULT NULL,
MODIFY COLUMN granted_at_audience json DEFAULT NULL;

69
persistence/sql/migrations/20251202130532000000_flow_drop_check.postgres.down.sql Normal file
View File

@ -0,0 +1,69 @@
ALTER TABLE hydra_oauth2_flow
ADD CONSTRAINT hydra_oauth2_flow_check CHECK (((state = 128) OR (state = 129) OR (state = 1) OR ((state = 2) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL))) OR
((state = 3) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL))) OR ((state = 4) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR
((state = 5) AND
((login_remember IS NOT NULL) AND (login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND (acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND (context IS NOT NULL) AND
(amr IS NOT NULL) AND (consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND (consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL))) OR ((state = 6) AND
((login_remember IS NOT NULL) AND
(login_remember_for IS NOT NULL) AND
(login_error IS NOT NULL) AND
(acr IS NOT NULL) AND
(login_was_used IS NOT NULL) AND
(context IS NOT NULL) AND
(amr IS NOT NULL) AND
(consent_challenge_id IS NOT NULL) AND
(consent_verifier IS NOT NULL) AND
(consent_skip IS NOT NULL) AND
(consent_csrf IS NOT NULL) AND
(granted_scope IS NOT NULL) AND
(consent_remember IS NOT NULL) AND
(consent_remember_for IS NOT NULL) AND
(consent_error IS NOT NULL) AND
(session_access_token IS NOT NULL) AND
(session_id_token IS NOT NULL) AND
(consent_was_used IS NOT NULL))))),
ALTER COLUMN requested_scope SET NOT NULL,
ALTER COLUMN login_csrf SET NOT NULL,
ALTER COLUMN subject SET NOT NULL,
ALTER COLUMN request_url SET NOT NULL,
ALTER COLUMN login_skip SET NOT NULL,
ALTER COLUMN client_id SET NOT NULL,
ALTER COLUMN oidc_context SET NOT NULL,
ALTER COLUMN context SET NOT NULL,
ALTER COLUMN state SET NOT NULL,
ALTER COLUMN login_verifier SET NOT NULL,
ALTER COLUMN login_remember SET NOT NULL,
ALTER COLUMN login_remember_for SET NOT NULL,
ALTER COLUMN acr SET NOT NULL,
ALTER COLUMN login_was_used SET NOT NULL,
ALTER COLUMN consent_skip SET NOT NULL,
ALTER COLUMN consent_remember SET NOT NULL,
ALTER COLUMN session_access_token SET NOT NULL,
ALTER COLUMN session_id_token SET NOT NULL,
ALTER COLUMN consent_was_used SET NOT NULL;

21
persistence/sql/migrations/20251202130532000000_flow_drop_check.postgres.up.sql Normal file
View File

@ -0,0 +1,21 @@
ALTER TABLE hydra_oauth2_flow
DROP CONSTRAINT hydra_oauth2_flow_check,
ALTER COLUMN requested_scope DROP NOT NULL,
ALTER COLUMN login_csrf DROP NOT NULL,
ALTER COLUMN subject DROP NOT NULL,
ALTER COLUMN request_url DROP NOT NULL,
ALTER COLUMN login_skip DROP NOT NULL,
ALTER COLUMN client_id DROP NOT NULL,
ALTER COLUMN oidc_context DROP NOT NULL,
ALTER COLUMN context DROP NOT NULL,
ALTER COLUMN state DROP NOT NULL,
ALTER COLUMN login_verifier DROP NOT NULL,
ALTER COLUMN login_remember DROP NOT NULL,
ALTER COLUMN login_remember_for DROP NOT NULL,
ALTER COLUMN acr DROP NOT NULL,
ALTER COLUMN login_was_used DROP NOT NULL,
ALTER COLUMN consent_skip DROP NOT NULL,
ALTER COLUMN consent_remember DROP NOT NULL,
ALTER COLUMN session_access_token DROP NOT NULL,
ALTER COLUMN session_id_token DROP NOT NULL,
ALTER COLUMN consent_was_used DROP NOT NULL;

198
persistence/sql/migrations/20251202130532000000_flow_drop_check.sqlite.down.sql Normal file
View File

@ -0,0 +1,198 @@
CREATE TABLE hydra_oauth2_flow_prev (
login_challenge VARCHAR(40) NOT NULL PRIMARY KEY,
nid CHAR(36) NOT NULL,
requested_scope TEXT NOT NULL,
login_verifier VARCHAR(40) NOT NULL,
login_csrf VARCHAR(40) NOT NULL,
subject VARCHAR(255) NOT NULL,
request_url TEXT NOT NULL,
login_skip INTEGER NOT NULL,
client_id VARCHAR(255) NOT NULL,
requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
oidc_context TEXT NOT NULL,
login_session_id VARCHAR(40) NULL REFERENCES hydra_oauth2_authentication_session (id) ON DELETE SET NULL,
requested_at_audience TEXT NULL,
login_initialized_at TIMESTAMP NULL,
state INTEGER NOT NULL,
login_remember INTEGER NULL,
login_remember_for INTEGER NULL,
login_error TEXT NULL,
acr TEXT NULL,
login_authenticated_at TIMESTAMP NULL,
login_was_used INTEGER NULL,
forced_subject_identifier VARCHAR(255) NULL,
context TEXT NULL,
amr TEXT NULL,
consent_challenge_id VARCHAR(40) NULL,
consent_skip INTEGER NULL,
consent_verifier VARCHAR(40) NULL,
consent_csrf VARCHAR(40) NULL,
granted_scope TEXT NULL,
granted_at_audience TEXT NULL,
consent_remember INTEGER NULL,
consent_remember_for INTEGER NULL,
consent_handled_at TIMESTAMP NULL,
consent_was_used INTEGER NOT NULL,
consent_error TEXT NULL,
session_id_token TEXT NULL,
session_access_token TEXT NULL,
login_extend_session_lifespan BOOLEAN NULL,
identity_provider_session_id VARCHAR(40) NULL,
device_challenge_id VARCHAR(255) NULL,
device_code_request_id VARCHAR(255) NULL,
device_verifier VARCHAR(40) NULL,
device_csrf VARCHAR(40) NULL,
device_was_used BOOLEAN NULL,
device_handled_at TIMESTAMP NULL,
device_error VARCHAR(2048) NULL,
expires_at TIMESTAMP GENERATED ALWAYS AS (IF(consent_remember_for > 0,
datetime(requested_at, '+' || consent_remember_for || ' seconds'),
NULL)) VIRTUAL,
FOREIGN KEY (client_id, nid) REFERENCES hydra_client (id, nid) ON DELETE CASCADE,
CHECK (
state = 128 OR
state = 129 OR
state = 1 OR
(state = 2 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL
)) OR
(state = 3 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL
)) OR
(state = 4 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL
)) OR
(state = 5 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL
)) OR
(state = 6 AND (
login_remember IS NOT NULL AND
login_remember_for IS NOT NULL AND
login_error IS NOT NULL AND
acr IS NOT NULL AND
login_was_used IS NOT NULL AND
context IS NOT NULL AND
amr IS NOT NULL AND
consent_challenge_id IS NOT NULL AND
consent_verifier IS NOT NULL AND
consent_skip IS NOT NULL AND
consent_csrf IS NOT NULL AND
granted_scope IS NOT NULL AND
consent_remember IS NOT NULL AND
consent_remember_for IS NOT NULL AND
consent_error IS NOT NULL AND
session_access_token IS NOT NULL AND
session_id_token IS NOT NULL AND
consent_was_used IS NOT NULL
))
)
);
INSERT
INTO hydra_oauth2_flow_prev (login_challenge, nid, requested_scope, login_verifier, login_csrf, subject, request_url,
login_skip, client_id, requested_at, oidc_context, login_session_id, requested_at_audience,
login_initialized_at, state, login_remember, login_remember_for, login_error, acr,
login_authenticated_at, login_was_used, forced_subject_identifier, context, amr,
consent_challenge_id, consent_skip, consent_verifier, consent_csrf, granted_scope,
granted_at_audience, consent_remember, consent_remember_for, consent_handled_at,
consent_was_used, consent_error, session_id_token, session_access_token,
login_extend_session_lifespan, identity_provider_session_id, device_challenge_id,
device_code_request_id, device_verifier, device_csrf, device_was_used, device_handled_at,
device_error)
SELECT login_challenge,
nid,
requested_scope,
login_verifier,
login_csrf,
subject,
request_url,
login_skip,
client_id,
requested_at,
oidc_context,
login_session_id,
requested_at_audience,
login_initialized_at,
state,
login_remember,
login_remember_for,
login_error,
acr,
login_authenticated_at,
login_was_used,
forced_subject_identifier,
context,
amr,
consent_challenge_id,
consent_skip,
consent_verifier,
consent_csrf,
granted_scope,
granted_at_audience,
consent_remember,
consent_remember_for,
consent_handled_at,
consent_was_used,
consent_error,
session_id_token,
session_access_token,
login_extend_session_lifespan,
identity_provider_session_id,
device_challenge_id,
device_code_request_id,
device_verifier,
device_csrf,
device_was_used,
device_handled_at,
device_error
FROM hydra_oauth2_flow;
DROP TABLE hydra_oauth2_flow;
ALTER TABLE hydra_oauth2_flow_prev
RENAME TO hydra_oauth2_flow;
CREATE INDEX hydra_oauth2_flow_client_id_idx ON hydra_oauth2_flow (client_id, nid);
CREATE INDEX hydra_oauth2_flow_login_session_id_idx ON hydra_oauth2_flow (login_session_id);
CREATE INDEX hydra_oauth2_flow_subject_idx ON hydra_oauth2_flow (subject, nid);
CREATE UNIQUE INDEX hydra_oauth2_flow_consent_challenge_id_idx ON hydra_oauth2_flow (consent_challenge_id);
CREATE INDEX hydra_oauth2_flow_previous_consents_idx ON hydra_oauth2_flow (subject, client_id, nid, consent_skip,
consent_error, consent_remember);
CREATE UNIQUE INDEX hydra_oauth2_flow_device_challenge_idx ON hydra_oauth2_flow (device_challenge_id);

129
persistence/sql/migrations/20251202130532000000_flow_drop_check.sqlite.up.sql Normal file
View File

@ -0,0 +1,129 @@
CREATE TABLE hydra_oauth2_flow_next (
login_challenge VARCHAR(40) NOT NULL PRIMARY KEY,
nid CHAR(36) NOT NULL,
requested_scope TEXT NULL,
login_verifier VARCHAR(40) NULL,
login_csrf VARCHAR(40) NULL,
subject VARCHAR(255) NULL,
request_url TEXT NULL,
login_skip INTEGER NULL,
client_id VARCHAR(255) NULL,
requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
oidc_context TEXT NULL,
login_session_id VARCHAR(40) NULL REFERENCES hydra_oauth2_authentication_session (id) ON DELETE SET NULL,
requested_at_audience TEXT NULL,
login_initialized_at TIMESTAMP NULL,
state INTEGER NULL,
login_remember INTEGER NULL,
login_remember_for INTEGER NULL,
login_error TEXT NULL,
acr TEXT NULL,
login_authenticated_at TIMESTAMP NULL,
login_was_used INTEGER NULL,
forced_subject_identifier VARCHAR(255) NULL,
context TEXT NULL,
amr TEXT NULL,
consent_challenge_id VARCHAR(40) NULL,
consent_skip INTEGER NULL,
consent_verifier VARCHAR(40) NULL,
consent_csrf VARCHAR(40) NULL,
granted_scope TEXT NULL,
granted_at_audience TEXT NULL,
consent_remember INTEGER NULL,
consent_remember_for INTEGER NULL,
consent_handled_at TIMESTAMP NULL,
consent_was_used INTEGER NULL,
consent_error TEXT NULL,
session_id_token TEXT NULL,
session_access_token TEXT NULL,
login_extend_session_lifespan BOOLEAN NULL,
identity_provider_session_id VARCHAR(40) NULL,
device_challenge_id VARCHAR(255) NULL,
device_code_request_id VARCHAR(255) NULL,
device_verifier VARCHAR(40) NULL,
device_csrf VARCHAR(40) NULL,
device_was_used BOOLEAN NULL,
device_handled_at TIMESTAMP NULL,
device_error VARCHAR(2048) NULL,
expires_at TIMESTAMP GENERATED ALWAYS AS (IF(consent_remember_for > 0,
datetime(requested_at, '+' || consent_remember_for || ' seconds'),
NULL)) VIRTUAL,
FOREIGN KEY (client_id, nid) REFERENCES hydra_client (id, nid) ON DELETE CASCADE
);
INSERT
INTO hydra_oauth2_flow_next (login_challenge, nid, requested_scope, login_verifier, login_csrf, subject, request_url,
login_skip, client_id, requested_at, oidc_context, login_session_id, requested_at_audience,
login_initialized_at, state, login_remember, login_remember_for, login_error, acr,
login_authenticated_at, login_was_used, forced_subject_identifier, context, amr,
consent_challenge_id, consent_skip, consent_verifier, consent_csrf, granted_scope,
granted_at_audience, consent_remember, consent_remember_for, consent_handled_at,
consent_was_used, consent_error, session_id_token, session_access_token,
login_extend_session_lifespan, identity_provider_session_id, device_challenge_id,
device_code_request_id, device_verifier, device_csrf, device_was_used, device_handled_at,
device_error)
SELECT login_challenge,
nid,
requested_scope,
login_verifier,
login_csrf,
subject,
request_url,
login_skip,
client_id,
requested_at,
oidc_context,
login_session_id,
requested_at_audience,
login_initialized_at,
state,
login_remember,
login_remember_for,
login_error,
acr,
login_authenticated_at,
login_was_used,
forced_subject_identifier,
context,
amr,
consent_challenge_id,
consent_skip,
consent_verifier,
consent_csrf,
granted_scope,
granted_at_audience,
consent_remember,
consent_remember_for,
consent_handled_at,
consent_was_used,
consent_error,
session_id_token,
session_access_token,
login_extend_session_lifespan,
identity_provider_session_id,
device_challenge_id,
device_code_request_id,
device_verifier,
device_csrf,
device_was_used,
device_handled_at,
device_error
FROM hydra_oauth2_flow;
DROP TABLE hydra_oauth2_flow;
ALTER TABLE hydra_oauth2_flow_next
RENAME TO hydra_oauth2_flow;
CREATE INDEX hydra_oauth2_flow_client_id_idx ON hydra_oauth2_flow (client_id, nid);
CREATE INDEX hydra_oauth2_flow_login_session_id_idx ON hydra_oauth2_flow (login_session_id);
CREATE INDEX hydra_oauth2_flow_subject_idx ON hydra_oauth2_flow (subject, nid);
CREATE UNIQUE INDEX hydra_oauth2_flow_consent_challenge_id_idx ON hydra_oauth2_flow (consent_challenge_id);
CREATE INDEX hydra_oauth2_flow_previous_consents_idx ON hydra_oauth2_flow (subject, client_id, nid, consent_skip,
consent_error, consent_remember);
CREATE UNIQUE INDEX hydra_oauth2_flow_device_challenge_idx ON hydra_oauth2_flow (device_challenge_id);

21
persistence/sql/migrations/20251202130532000001_flow_drop_check.down.sql Normal file
View File

@ -0,0 +1,21 @@
DELETE
FROM hydra_oauth2_flow
WHERE requested_scope IS NULL
OR login_csrf IS NULL
OR subject IS NULL
OR request_url IS NULL
OR login_skip IS NULL
OR client_id IS NULL
OR oidc_context IS NULL
OR context IS NULL
OR state IS NULL
OR login_verifier IS NULL
OR login_remember IS NULL
OR login_remember_for IS NULL
OR acr IS NULL
OR login_was_used IS NULL
OR consent_skip IS NULL
OR consent_remember IS NULL
OR session_access_token IS NULL
OR session_id_token IS NULL
OR consent_was_used IS NULL;

1
persistence/sql/migrations/20251202130532000001_flow_drop_check.up.sql Normal file
View File

@ -0,0 +1 @@
-- nothing to do here

2
persistence/sql/persister_test.go
View File

@ -37,7 +37,7 @@ func testRegistry(t *testing.T, db string, t1, t2 *driver.RegistrySQL) {
// TODO enable parallel tests for mysql once we support automatic transaction retries // TODO enable parallel tests for mysql once we support automatic transaction retries
var parallel bool var parallel bool
switch db { switch db {
case "mysql": case "mysql", "sqlite":
parallel = false parallel = false
default: default:
parallel = true parallel = true