fix(auth): scrub legacy pending oauth tokens on upgrade

backend/migrations/122_pending_auth_completion_token_cleanup.sql

@@ -0,0 +1,15 @@
+UPDATE pending_auth_sessions
+SET
+    local_flow_state = jsonb_set(
+        local_flow_state,
+        '{completion_response}',
+        ((local_flow_state -> 'completion_response') - 'access_token' - 'refresh_token' - 'expires_in' - 'token_type'),
+        true
+    )
+WHERE jsonb_typeof(local_flow_state -> 'completion_response') = 'object'
+  AND (
+      (local_flow_state -> 'completion_response') ? 'access_token'
+      OR (local_flow_state -> 'completion_response') ? 'refresh_token'
+      OR (local_flow_state -> 'completion_response') ? 'expires_in'
+      OR (local_flow_state -> 'completion_response') ? 'token_type'
+  );

backend/migrations/123_fix_legacy_auth_source_grant_on_signup_defaults.sql

@@ -0,0 +1,39 @@
+WITH migration_110 AS (
+    SELECT applied_at
+    FROM schema_migrations
+    WHERE filename = '110_pending_auth_and_provider_default_grants.sql'
+),
+legacy_provider_defaults AS (
+    SELECT provider_type
+    FROM (
+        VALUES ('email'), ('linuxdo'), ('oidc'), ('wechat')
+    ) AS providers(provider_type)
+    CROSS JOIN migration_110
+    JOIN settings balance
+      ON balance.key = 'auth_source_default_' || providers.provider_type || '_balance'
+    JOIN settings concurrency
+      ON concurrency.key = 'auth_source_default_' || providers.provider_type || '_concurrency'
+    JOIN settings subscriptions
+      ON subscriptions.key = 'auth_source_default_' || providers.provider_type || '_subscriptions'
+    JOIN settings grant_on_signup
+      ON grant_on_signup.key = 'auth_source_default_' || providers.provider_type || '_grant_on_signup'
+    JOIN settings grant_on_first_bind
+      ON grant_on_first_bind.key = 'auth_source_default_' || providers.provider_type || '_grant_on_first_bind'
+    WHERE balance.value = '0'
+      AND concurrency.value = '5'
+      AND subscriptions.value = '[]'
+      AND grant_on_signup.value = 'true'
+      AND grant_on_first_bind.value = 'false'
+      AND balance.updated_at BETWEEN migration_110.applied_at - INTERVAL '1 minute' AND migration_110.applied_at + INTERVAL '1 minute'
+      AND concurrency.updated_at BETWEEN migration_110.applied_at - INTERVAL '1 minute' AND migration_110.applied_at + INTERVAL '1 minute'
+      AND subscriptions.updated_at BETWEEN migration_110.applied_at - INTERVAL '1 minute' AND migration_110.applied_at + INTERVAL '1 minute'
+      AND grant_on_signup.updated_at BETWEEN migration_110.applied_at - INTERVAL '1 minute' AND migration_110.applied_at + INTERVAL '1 minute'
+      AND grant_on_first_bind.updated_at BETWEEN migration_110.applied_at - INTERVAL '1 minute' AND migration_110.applied_at + INTERVAL '1 minute'
+)
+UPDATE settings
+SET
+    value = 'false',
+    updated_at = NOW()
+FROM legacy_provider_defaults
+WHERE settings.key = 'auth_source_default_' || legacy_provider_defaults.provider_type || '_grant_on_signup'
+  AND settings.value = 'true';

backend/migrations/auth_identity_payment_migrations_regression_test.go

@@ -59,3 +59,28 @@ func TestMigration119DefersPaymentIndexRolloutToOnlineFollowup(t *testing.T) {
 	require.Contains(t, followupSQL, "DROP INDEX CONCURRENTLY IF EXISTS paymentorder_out_trade_no")
 	require.Contains(t, followupSQL, "WHERE out_trade_no <> ''")
 }
+
+func TestMigration122ScrubsPendingOAuthCompletionTokensAtRest(t *testing.T) {
+	content, err := FS.ReadFile("122_pending_auth_completion_token_cleanup.sql")
+	require.NoError(t, err)
+
+	sql := string(content)
+	require.Contains(t, sql, "UPDATE pending_auth_sessions")
+	require.Contains(t, sql, "completion_response")
+	require.Contains(t, sql, "access_token")
+	require.Contains(t, sql, "refresh_token")
+	require.Contains(t, sql, "expires_in")
+	require.Contains(t, sql, "token_type")
+}
+
+func TestMigration123BackfillsLegacyAuthSourceGrantDefaultsSafely(t *testing.T) {
+	content, err := FS.ReadFile("123_fix_legacy_auth_source_grant_on_signup_defaults.sql")
+	require.NoError(t, err)
+
+	sql := string(content)
+	require.Contains(t, sql, "110_pending_auth_and_provider_default_grants.sql")
+	require.Contains(t, sql, "schema_migrations")
+	require.Contains(t, sql, "updated_at")
+	require.Contains(t, sql, "'_grant_on_signup'")
+	require.Contains(t, sql, "value = 'false'")
+}