From 861bcc898f7ff50651a2c6814301c7d82e4daa2a Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Mon, 25 Apr 2022 17:53:38 +1000
Subject: [PATCH] refactor: ensure bad consent sessions and identifiers are
 deleted (#3241)

---
 .../storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql   | 2 ++
 .../migrations/V0005.ConsentSubjectNULL.postgres.up.sql        | 2 ++
 .../storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql  | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql
index eac4de80f..657db06b2 100644
--- a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql
+++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql
@@ -1,3 +1,5 @@
+DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'));
+DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect');
 ALTER TABLE oauth2_consent_session MODIFY subject CHAR(36) NULL DEFAULT NULL;
 ALTER TABLE oauth2_consent_session
     DROP FOREIGN KEY oauth2_consent_subject_fkey,
diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql
index 0645384c3..50cc4d22a 100644
--- a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql
+++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql
@@ -1,3 +1,5 @@
+DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'));
+DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect');
 ALTER TABLE oauth2_consent_session ALTER COLUMN subject DROP NOT NULL;
 ALTER TABLE oauth2_consent_session ALTER COLUMN subject SET DEFAULT NULL;
 ALTER TABLE oauth2_consent_session RENAME CONSTRAINT oauth2_consent_subject_fkey TO oauth2_consent_session_subject_fkey;
diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql
index 3526a0c2f..8f0a08f01 100644
--- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql
+++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql
@@ -2,6 +2,9 @@ PRAGMA foreign_keys=off;
 
 BEGIN TRANSACTION;
 
+DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'));
+DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect');
+
 ALTER TABLE oauth2_consent_session RENAME TO _bkp_UP_V0005_oauth2_consent_session;
 
 CREATE TABLE IF NOT EXISTS oauth2_consent_session (