fix: invalidate tokens with inconsistent state (#3385)

This patch includes SQL migrations targeting environments which have not yet migrated to Ory Hydra 2.0. It removes inconsistent records which resolves issues during the migrations process. Please be aware that some users might be affected by this change. They might need to re-authorize certain apps. However, most active records should not be affected by this.

Installations already on Ory Hydra 2.0 will not be affected by this change.

Closes #3346

persistence/sql/migrations/20211019000001000001_merge_authentication_request_tables.cockroach.up.sql

@@ -98,3 +98,27 @@ ON hydra_oauth2_authentication_request.challenge = hydra_oauth2_consent_request.
 LEFT JOIN hydra_oauth2_consent_request_handled
 ON hydra_oauth2_consent_request.challenge = hydra_oauth2_consent_request_handled.challenge;
 
+UPDATE hydra_oauth2_access AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_code AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_oidc AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_refresh AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_pkce AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);

persistence/sql/migrations/20211019000001000001_merge_authentication_request_tables.mysql.up.sql

@@ -97,3 +97,28 @@ LEFT JOIN hydra_oauth2_consent_request
 ON hydra_oauth2_authentication_request.challenge = hydra_oauth2_consent_request.login_challenge
 LEFT JOIN hydra_oauth2_consent_request_handled
 ON hydra_oauth2_consent_request.challenge = hydra_oauth2_consent_request_handled.challenge;
+
+UPDATE hydra_oauth2_access AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_code AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_oidc AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_refresh AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_pkce AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);

persistence/sql/migrations/20211019000001000001_merge_authentication_request_tables.postgres.up.sql

@@ -98,3 +98,27 @@ ON hydra_oauth2_authentication_request.challenge = hydra_oauth2_consent_request.
 LEFT JOIN hydra_oauth2_consent_request_handled
 ON hydra_oauth2_consent_request.challenge = hydra_oauth2_consent_request_handled.challenge;
 
+UPDATE hydra_oauth2_access AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_code AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_oidc AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_refresh AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_pkce AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);

persistence/sql/migrations/20211019000001000001_merge_authentication_request_tables.sqlite.up.sql

@@ -98,3 +98,27 @@ ON hydra_oauth2_authentication_request.challenge = hydra_oauth2_consent_request.
 LEFT JOIN hydra_oauth2_consent_request_handled
 ON hydra_oauth2_consent_request.challenge = hydra_oauth2_consent_request_handled.challenge;
 
+UPDATE hydra_oauth2_access AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_code AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_oidc AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_refresh AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);
+
+UPDATE hydra_oauth2_pkce AS t1
+SET challenge_id = NULL
+WHERE challenge_id IS NOT NULL
+  AND NOT exists(SELECT NULL FROM hydra_oauth2_flow t2 WHERE t1.challenge_id = t2.consent_challenge_id);