fix(upgrade): close payment and oidc compatibility gaps

backend/migrations/124_backfill_legacy_oidc_security_flags.sql

@@ -0,0 +1,32 @@
+-- Preserve legacy OIDC behavior for upgraded installs that predate the
+-- introduction of secure PKCE/id_token defaults. Fresh installs continue to
+-- inherit runtime defaults when these rows are absent.
+
+WITH legacy_oidc_install AS (
+    SELECT 1
+    FROM settings
+    WHERE key IN (
+        'oidc_connect_enabled',
+        'oidc_connect_client_id',
+        'oidc_connect_authorize_url',
+        'oidc_connect_token_url',
+        'oidc_connect_issuer_url',
+        'oidc_connect_userinfo_url',
+        'oidc_connect_frontend_redirect_url'
+    )
+    LIMIT 1
+)
+INSERT INTO settings (key, value)
+SELECT defaults.key, 'false'
+FROM legacy_oidc_install
+CROSS JOIN (
+    VALUES
+        ('oidc_connect_use_pkce'),
+        ('oidc_connect_validate_id_token')
+) AS defaults(key)
+WHERE NOT EXISTS (
+    SELECT 1
+    FROM settings existing
+    WHERE existing.key = defaults.key
+)
+ON CONFLICT (key) DO NOTHING;