revert: simplify consent store

GitOrigin-RevId: 5cb638da28b47533c6a82661a36e9add4ca4be97

Author: zepatrik

consent/test/manager_test_helpers.go

@@ -27,7 +27,7 @@ import (
 	"github.com/ory/x/uuidx"
 )
 
-func MockConsentFlow(remember bool, rememberFor int, skip bool) *flow.Flow {
+func mockConsentRequest(remember bool, rememberFor int, skip bool) *flow.Flow {
 	return &flow.Flow{
 		ID:               uuidx.NewV4().String(),
 		Client:           &client.Client{ID: uuidx.NewV4().String()},
@@ -219,8 +219,8 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 			{"6", true, 120, true, false},
 		} {
 			t.Run("key="+tc.key, func(t *testing.T) {
-				f := MockConsentFlow(tc.remember, tc.rememberFor, tc.skip)
-				require.NoError(t, clientManager.CreateClient(t.Context(), f.Client))
+				f := mockConsentRequest(tc.remember, tc.rememberFor, tc.skip)
+				_ = clientManager.CreateClient(t.Context(), f.Client) // Ignore errors that are caused by duplication
 				f.NID = deps.Networker().NetworkID(t.Context())
 
 				require.NoError(t, m.CreateConsentSession(t.Context(), f))
@@ -234,7 +234,7 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 						// unfortunately the interface does not allow us to set the absolute time, so we have to wait
 						time.Sleep(2 * time.Second)
 					}
-					actual, err := m.FindGrantedAndRememberedConsentRequest(t.Context(), f.Client.ID, f.Subject)
+					actual, err := m.FindGrantedAndRememberedConsentRequest(t.Context(), f.ClientID, f.Subject)
 					if !tc.expectRemembered {
 						assert.Nil(t, actual)
 						assert.ErrorIs(t, err, consent.ErrNoPreviousConsentFound)
@@ -260,45 +260,36 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 
 	t.Run("case=revoke consent request", func(t *testing.T) {
 		type tc struct {
-			f      *flow.Flow
-			at, rt string
-			revoke func(*testing.T, tc)
+			at, rt, subject, client string
+			revoke                  func(*testing.T)
 		}
-		revokeFuncs := []func(*testing.T, tc){
-			func(t *testing.T, c tc) {
-				require.NoError(t, m.RevokeSubjectConsentSession(t.Context(), c.f.Subject))
-			},
-			func(t *testing.T, c tc) {
-				require.NoError(t, m.RevokeSubjectClientConsentSession(t.Context(), c.f.Subject, c.f.Client.ID))
-			},
-			func(t *testing.T, c tc) {
-				require.NoError(t, m.RevokeConsentSessionByID(t.Context(), c.f.ConsentRequestID.String()))
-			},
-		}
-		tcs := make([]tc, 2*len(revokeFuncs))
+		tcs := make([]tc, 2)
 		for i := range tcs {
-			f := MockConsentFlow(i < len(revokeFuncs), 0, true)
+			f := mockConsentRequest(true, 0, false)
 			f.NID = deps.Networker().NetworkID(t.Context())
 
 			tcs[i] = tc{
-				f:      f,
-				at:     uuidx.NewV4().String(),
-				rt:     uuidx.NewV4().String(),
-				revoke: revokeFuncs[i%len(revokeFuncs)],
+				subject: f.Subject,
+				client:  f.Client.ID,
+				at:      uuidx.NewV4().String(),
+				rt:      uuidx.NewV4().String(),
 			}
 
 			require.NoError(t, clientManager.CreateClient(t.Context(), f.Client))
 			require.NoError(t, m.CreateConsentSession(t.Context(), f))
-			sess := &oauth2.Session{DefaultSession: openid.NewDefaultSession()}
-			sess.Subject = f.Subject
-			sess.ConsentChallenge = f.ConsentRequestID.String()
 			require.NoError(t, fositeManager.CreateAccessTokenSession(t.Context(), tcs[i].at,
-				&fosite.Request{Client: f.Client, ID: f.ConsentRequestID.String(), RequestedAt: time.Now(), Session: sess}),
-			)
+				&fosite.Request{Client: f.Client, ID: f.ConsentRequestID.String(), RequestedAt: time.Now(), Session: &oauth2.Session{DefaultSession: openid.NewDefaultSession()}},
+			))
 			require.NoError(t, fositeManager.CreateRefreshTokenSession(t.Context(), tcs[i].rt, tcs[i].at,
-				&fosite.Request{Client: f.Client, ID: f.ConsentRequestID.String(), RequestedAt: time.Now(), Session: sess},
+				&fosite.Request{Client: f.Client, ID: f.ConsentRequestID.String(), RequestedAt: time.Now(), Session: &oauth2.Session{DefaultSession: openid.NewDefaultSession()}},
 			))
 		}
+		tcs[0].revoke = func(t *testing.T) {
+			require.NoError(t, m.RevokeSubjectConsentSession(t.Context(), tcs[0].subject))
+		}
+		tcs[1].revoke = func(t *testing.T) {
+			require.NoError(t, m.RevokeSubjectClientConsentSession(t.Context(), tcs[1].subject, tcs[1].client))
+		}
 
 		for i, tc := range tcs {
 			t.Run(fmt.Sprintf("run=%d", i), func(t *testing.T) {
@@ -307,7 +298,7 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 				_, err = fositeManager.GetRefreshTokenSession(t.Context(), tc.rt, nil)
 				require.NoError(t, err)
 
-				tc.revoke(t, tc)
+				tc.revoke(t)
 
 				r, err := fositeManager.GetAccessTokenSession(t.Context(), tc.at, nil)
 				assert.ErrorIsf(t, err, fosite.ErrNotFound, "%+v", r)
@@ -325,7 +316,7 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 	t.Run("case=list consents", func(t *testing.T) {
 		flows := make([]*flow.Flow, 2)
 		for i := range flows {
-			f := MockConsentFlow(true, 0, false)
+			f := mockConsentRequest(true, 0, false)
 			f.NID = deps.Networker().NetworkID(t.Context())
 			f.SessionID = sqlxx.NullString(uuidx.NewV4().String())
 			flows[i] = f
@@ -354,8 +345,8 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 			}
 
 			t.Run("random subject", func(t *testing.T) {
-				res, _, err := m.FindSubjectsSessionGrantedConsentRequests(t.Context(), uuidx.NewV4().String(), flows[0].SessionID.String())
-				assert.ErrorIsf(t, err, consent.ErrNoPreviousConsentFound, "%+v", res)
+				_, _, err := m.FindSubjectsSessionGrantedConsentRequests(t.Context(), uuidx.NewV4().String(), flows[0].SessionID.String())
+				assert.ErrorIs(t, err, consent.ErrNoPreviousConsentFound)
 			})
 		})
 
@@ -435,7 +426,6 @@ func ConsentManagerTests(t *testing.T, deps Deps, m consent.Manager, loginManage
 						SessionID:          sqlxx.NullString(ls.ID),
 						ConsentRequestID:   sqlxx.NullString(uuid.Must(uuid.NewV4()).String()),
 						GrantedScope:       sqlxx.StringSliceJSONFormat{"scopea", "scopeb"},
-						ConsentRemember:    true,
 						ConsentRememberFor: pointerx.Ptr(0),
 					}
 

driver/di.go

@@ -4,7 +4,6 @@
 package driver
 
 import (
-	"github.com/ory/hydra/v2/consent"
 	"github.com/ory/hydra/v2/fosite"
 	"github.com/ory/hydra/v2/fosite/handler/oauth2"
 	"github.com/ory/hydra/v2/jwk"
@@ -59,10 +58,3 @@ func RegistryWithAuthorizeCodeStorage(s func(r *RegistrySQL) oauth2.AuthorizeCod
 		return nil
 	}
 }
-
-func RegistryWithConsentManager(cm func(r *RegistrySQL) (consent.Manager, error)) RegistryModifier {
-	return func(r *RegistrySQL) (err error) {
-		r.consentManager, err = cm(r)
-		return err
-	}
-}

driver/registry_sql.go

@@ -92,9 +92,7 @@ type RegistrySQL struct {
 	migrator             *sql.MigrationManager
 	dbOptsModifier       []func(details *pop.ConnectionDetails)
 
-	keyManager     jwk.Manager
-	consentManager consent.Manager
-
+	keyManager  jwk.Manager
 	initialPing func(ctx context.Context, l *logrusx.Logger, p *sql.BasePersister) error
 	middlewares []negroni.Handler
 }
@@ -265,12 +263,7 @@ func (m *RegistrySQL) PingContext(ctx context.Context) error { return m.basePers
 
 func (m *RegistrySQL) BasePersister() *sql.BasePersister { return m.basePersister }
 func (m *RegistrySQL) ClientManager() client.Manager     { return m.Persister() }
-func (m *RegistrySQL) ConsentManager() consent.Manager {
-	if m.consentManager != nil {
-		return m.consentManager
-	}
-	return &sql.ConsentPersister{BasePersister: m.basePersister}
-}
+func (m *RegistrySQL) ConsentManager() consent.Manager   { return m.Persister() }
 func (m *RegistrySQL) ObfuscatedSubjectManager() consent.ObfuscatedSubjectManager {
 	return m.Persister()
 }
@@ -387,14 +380,8 @@ func (m *RegistrySQL) HealthHandler() *healthx.Handler {
 				}
 
 				if status.HasPending() {
-					var notApplied []string
-					for _, s := range status {
-						if s.State != "Applied" {
-							notApplied = append(notApplied, s.Version)
-						}
-					}
-					err := errors.Errorf("migrations have not yet been fully applied: %+v", notApplied)
-					m.Logger().WithField("not_applied", fmt.Sprintf("%+v", notApplied)).WithError(err).Warn("Instance is not yet ready because migrations have not yet been fully applied.")
+					err := errors.Errorf("migrations have not yet been fully applied: %+v", status)
+					m.Logger().WithField("status", fmt.Sprintf("%+v", status)).WithError(err).Warn("Instance is not yet ready because migrations have not yet been fully applied.")
 					return err
 				}
 				return nil

flow/encoding_test.go

@@ -74,7 +74,7 @@ func TestEncoding(t *testing.T) {
 		State:              1,
 		LoginRemember:      true,
 		LoginRememberFor:   3600,
-		Context:            sqlxx.NullJSONRawMessage(`{"context-key1": "val1"}`),
+		Context:            sqlxx.JSONRawMessage(`{"context-key1": "val1"}`),
 		GrantedScope:       []string{"scope1", "scope2"},
 		GrantedAudience:    []string{"https://api.example.org/v1", "https://api.example.org/v2"},
 		ConsentRemember:    true,

flow/flow.go

@@ -228,7 +228,7 @@ type Flow struct {
 	// Context is an optional object which can hold arbitrary data. The data will be made available when fetching the
 	// consent request under the "context" field. This is useful in scenarios where login and consent endpoints share
 	// data.
-	Context sqlxx.NullJSONRawMessage `db:"context" json:"ct"`
+	Context sqlxx.JSONRawMessage `db:"context" json:"ct"`
 
 	LoginError           *RequestDeniedError `db:"-" json:"le,omitempty"`
 	LoginAuthenticatedAt sqlxx.NullTime      `db:"-" json:"la,omitempty"`
@@ -317,7 +317,7 @@ func (f *Flow) HandleLoginRequest(h *HandledLoginRequest) error {
 	f.State = FlowStateLoginUnused
 
 	if f.Context != nil {
-		f.Context = sqlxx.NullJSONRawMessage(h.Context)
+		f.Context = h.Context
 	}
 
 	f.Subject = h.Subject
@@ -398,7 +398,7 @@ func (f *Flow) HandleConsentRequest(r *AcceptOAuth2ConsentRequest) error {
 	f.ConsentHandledAt = sqlxx.NullTime(time.Now().UTC())
 	f.ConsentError = nil
 	if r.Context != nil {
-		f.Context = sqlxx.NullJSONRawMessage(r.Context)
+		f.Context = r.Context
 	}
 
 	if r.Session != nil {
@@ -455,7 +455,7 @@ func (f *Flow) GetConsentRequest(challenge string) *OAuth2ConsentRequest {
 		LoginSessionID:       f.SessionID,
 		ACR:                  f.ACR,
 		AMR:                  f.AMR,
-		Context:              sqlxx.JSONRawMessage(f.Context),
+		Context:              f.Context,
 	}
 	// set some defaults for the API
 	if cs.RequestedAudience == nil {
@@ -475,6 +475,9 @@ func (f *Flow) BeforeSave(_ *pop.Connection) error {
 	if f.Client != nil {
 		f.ClientID = f.Client.GetID()
 	}
+	if f.State == FlowStateLoginUnused && string(f.Context) == "" {
+		f.Context = sqlxx.JSONRawMessage("{}")
+	}
 	return nil
 }
 
@@ -553,7 +556,7 @@ func (f Flow) ToListConsentSessionResponse() *OAuth2ConsentSession {
 		Session:          &AcceptOAuth2ConsentRequestSession{AccessToken: f.SessionAccessToken, IDToken: f.SessionIDToken},
 		Remember:         f.ConsentRemember,
 		HandledAt:        f.ConsentHandledAt,
-		Context:          sqlxx.JSONRawMessage(f.Context),
+		Context:          f.Context,
 		ConsentRequest:   f.GetConsentRequest( /* No longer available and no longer needed: challenge =  */ ""),
 	}
 	s.ConsentRequest.Client.Secret = "" // do not leak client secret in response

flow/flow_encoding_test.go

@@ -65,7 +65,7 @@ func createTestFlow(nid uuid.UUID, state flow.State) *flow.Flow {
 		ACR:                        "http://acrvalues.example.org",
 		AMR:                        []string{"pwd"},
 		ForceSubjectIdentifier:     "forced-subject",
-		Context:                    sqlxx.NullJSONRawMessage(`{"foo":"bar"}`),
+		Context:                    sqlxx.JSONRawMessage(`{"foo":"bar"}`),
 		LoginAuthenticatedAt:       sqlxx.NullTime(time.Date(2025, 10, 9, 12, 52, 0, 0, time.UTC)),
 		DeviceChallengeID:          "device-challenge",
 		DeviceCodeRequestID:        "device-code-request",

flow/flow_test.go

@@ -40,7 +40,7 @@ func (f *Flow) setConsentRequest(r OAuth2ConsentRequest) {
 	f.SessionID = r.LoginSessionID
 	f.ACR = r.ACR
 	f.AMR = r.AMR
-	f.Context = sqlxx.NullJSONRawMessage(r.Context)
+	f.Context = r.Context
 }
 
 func TestFlow_HandleDeviceUserAuthRequest(t *testing.T) {
@@ -110,7 +110,7 @@ func TestFlow_UpdateFlowWithHandledLoginRequest(t *testing.T) {
 			assert.Equal(t, r.ACR, f.ACR)
 			assert.Equal(t, r.AMR, f.AMR)
 			assert.Equal(t, r.IdentityProviderSessionID, f.IdentityProviderSessionID.String())
-			assert.EqualValues(t, r.Context, f.Context)
+			assert.Equal(t, r.Context, f.Context)
 		},
 	)
 }

persistence/definitions.go

@@ -16,6 +16,7 @@ import (
 
 type (
 	Persister interface {
+		consent.Manager
 		consent.ObfuscatedSubjectManager
 		consent.LoginManager
 		consent.LogoutManager