fix(upgrade): close payment and oidc compatibility gaps

backend/migrations/124_backfill_legacy_oidc_security_flags.sql

@@ -0,0 +1,32 @@
+-- Preserve legacy OIDC behavior for upgraded installs that predate the
+-- introduction of secure PKCE/id_token defaults. Fresh installs continue to
+-- inherit runtime defaults when these rows are absent.
+
+WITH legacy_oidc_install AS (
+    SELECT 1
+    FROM settings
+    WHERE key IN (
+        'oidc_connect_enabled',
+        'oidc_connect_client_id',
+        'oidc_connect_authorize_url',
+        'oidc_connect_token_url',
+        'oidc_connect_issuer_url',
+        'oidc_connect_userinfo_url',
+        'oidc_connect_frontend_redirect_url'
+    )
+    LIMIT 1
+)
+INSERT INTO settings (key, value)
+SELECT defaults.key, 'false'
+FROM legacy_oidc_install
+CROSS JOIN (
+    VALUES
+        ('oidc_connect_use_pkce'),
+        ('oidc_connect_validate_id_token')
+) AS defaults(key)
+WHERE NOT EXISTS (
+    SELECT 1
+    FROM settings existing
+    WHERE existing.key = defaults.key
+)
+ON CONFLICT (key) DO NOTHING;

backend/migrations/auth_identity_payment_migrations_regression_test.go

@@ -115,3 +115,15 @@ func TestMigration123BackfillsLegacyAuthSourceGrantDefaultsSafely(t *testing.T)
 	require.Contains(t, sql, "value = 'false'")
 	require.Contains(t, sql, "auth_identity_migration_reports")
 }
+
+func TestMigration124BackfillsLegacyOIDCSecurityFlagsSafely(t *testing.T) {
+	content, err := FS.ReadFile("124_backfill_legacy_oidc_security_flags.sql")
+	require.NoError(t, err)
+
+	sql := string(content)
+	require.Contains(t, sql, "oidc_connect_use_pkce")
+	require.Contains(t, sql, "oidc_connect_validate_id_token")
+	require.Contains(t, sql, "ON CONFLICT (key) DO NOTHING")
+	require.Contains(t, sql, "oidc_connect_enabled")
+	require.Contains(t, sql, "'false'")
+}