fix: force autocommit for device auth code migration (#3991)

<!--
Describe the big picture of your changes here to communicate to the
maintainers why we should accept this pull request.

This text will be included in the changelog. If applicable, include
links to documentation or pieces of code.
If your change includes breaking changes please add a code block
documenting the breaking change:

```
BREAKING CHANGES: This patch changes the behavior of configuration item `foo` to do bar. To keep the existing
behavior please do baz.
```
-->

## Related issue(s)

<!--
If this pull request

1. is a fix for a known bug, link the issue where the bug was reported
in the format of `#1234`;
2. is a fix for a previously unknown bug, explain the bug and how to
reproduce it in this pull request;
3. implements a new feature, link the issue containing the design
document in the format of `#1234`;
4. improves the documentation, no issue reference is required.

Pull requests introducing new features, which do not have a design
document linked are more likely to be rejected and take on average 2-8
weeks longer to
get merged.

You can discuss changes with maintainers either in the Github
Discussions in this repository or
join the [Ory Chat](https://www.ory.sh/chat).
-->

## Checklist

<!--
Put an `x` in the boxes that apply. You can also fill these out after
creating the PR.

Please be aware that pull requests must have all boxes ticked in order
to be merged.

If you're unsure about any of them, don't hesitate to ask. We're here to
help!
-->

- [ ] I have read the [contributing
guidelines](../blob/master/CONTRIBUTING.md).
- [ ] I have referenced an issue containing the design document if my
change
      introduces a new feature.
- [ ] I am following the
[contributing code
guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
- [ ] I have read the [security policy](../security/policy).
- [ ] I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability,
I
      confirm that I got the approval (please contact
[[email protected]](mailto:[email protected])) from the maintainers to push
      the changes.
- [ ] I have added tests that prove my fix is effective or that my
feature
      works.
- [ ] I have added or changed [the
documentation](https://github.com/ory/docs).

## Further Comments

<!--
If this is a relatively large or complex change, kick off the discussion
by explaining why you chose the solution
you did and what alternatives you considered, etc...
-->

---------

Co-authored-by: zepatrik <[email protected]>

Author: aeneasr

persistence/sql/migratest/fixtures/hydra_client/client-23.json

@@ -0,0 +1,140 @@
+{
+  "AccessTokenStrategy": "",
+  "AllowedCORSOrigins": [
+    "http://cors/23_1",
+    "http://cors/23_2"
+  ],
+  "Audience": [
+    "autdience-23_1",
+    "autdience-23_2"
+  ],
+  "BackChannelLogoutSessionRequired": true,
+  "BackChannelLogoutURI": "http://back_logout/23",
+  "ClientURI": "http://client/23",
+  "Contacts": [
+    "contact-23_1",
+    "contact-23_2"
+  ],
+  "CreatedAt": "0001-01-01T00:00:00Z",
+  "FrontChannelLogoutSessionRequired": true,
+  "FrontChannelLogoutURI": "http://front_logout/23",
+  "GrantTypes": [
+    "grant-23_1",
+    "grant-23_2"
+  ],
+  "ID": "client-23",
+  "JSONWebKeys": {
+    "JSONWebKeySet": null
+  },
+  "JSONWebKeysURI": "http://jwks/23",
+  "Lifespans": {
+    "AuthorizationCodeGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "AuthorizationCodeGrantIDTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "AuthorizationCodeGrantRefreshTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "ClientCredentialsGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "DeviceAuthorizationGrantAccessTokenLifespan": {
+      "Duration": 3600,
+      "Valid": true
+    },
+    "DeviceAuthorizationGrantIDTokenLifespan": {
+      "Duration": 3600,
+      "Valid": true
+    },
+    "DeviceAuthorizationGrantRefreshTokenLifespan": {
+      "Duration": 3600,
+      "Valid": true
+    },
+    "ImplicitGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "ImplicitGrantIDTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "JwtBearerGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "PasswordGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "PasswordGrantRefreshTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "RefreshTokenGrantAccessTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "RefreshTokenGrantIDTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    },
+    "RefreshTokenGrantRefreshTokenLifespan": {
+      "Duration": 0,
+      "Valid": false
+    }
+  },
+  "LogoURI": "http://logo/23",
+  "Metadata": {
+    "migration": "23"
+  },
+  "NID": "00000000-0000-0000-0000-000000000000",
+  "Name": "Client 23",
+  "Owner": "owner-23",
+  "PK": {
+    "String": "",
+    "Valid": false
+  },
+  "PKDeprecated": 0,
+  "PolicyURI": "http://policy/23",
+  "PostLogoutRedirectURIs": [
+    "http://post_redirect/23_1",
+    "http://post_redirect/23_2"
+  ],
+  "RedirectURIs": [
+    "http://redirect/23_1",
+    "http://redirect/23_2"
+  ],
+  "RegistrationAccessToken": "",
+  "RegistrationAccessTokenSignature": "",
+  "RegistrationClientURI": "",
+  "RequestObjectSigningAlgorithm": "r_alg-23",
+  "RequestURIs": [
+    "http://request/23_1",
+    "http://request/23_2"
+  ],
+  "ResponseTypes": [
+    "response-23_1",
+    "response-23_2"
+  ],
+  "Scope": "scope-23",
+  "Secret": "secret-23",
+  "SecretExpiresAt": 0,
+  "SectorIdentifierURI": "http://sector_id/23",
+  "SkipConsent": true,
+  "SkipLogoutConsent": {
+    "Bool": true,
+    "Valid": true
+  },
+  "SubjectType": "subject-23",
+  "TermsOfServiceURI": "http://tos/23",
+  "TokenEndpointAuthMethod": "token_auth-23",
+  "TokenEndpointAuthSigningAlgorithm": "",
+  "UpdatedAt": "0001-01-01T00:00:00Z",
+  "UserinfoSignedResponseAlg": "u_alg-23"
+}

persistence/sql/migratest/fixtures/hydra_oauth2_device_auth_codes/device-code-signature-0001.json

@@ -0,0 +1,21 @@
+{
+  "ID": "device-code-signature-0001",
+  "UserCodeID": "user-code-signature-0001",
+  "NID": "00000000-0000-0000-0000-000000000000",
+  "Request": "request-id-0001",
+  "ConsentChallenge": {
+    "String": "challenge-0018",
+    "Valid": true
+  },
+  "RequestedAt": "2025-05-16T12:24:00Z",
+  "Client": "client-21",
+  "Scopes": "[\"scope-0001_1\",\"scope-0001_2\"]",
+  "GrantedScope": "[\"granted_scope-0001_1\",\"granted_scope-0001_2\"]",
+  "RequestedAudience": "[\"requested_audience-0001_1\",\"requested_audience-0001_2\"]",
+  "GrantedAudience": "[\"granted_audience-0001_1\",\"granted_audience-0001_2\"]",
+  "Form": "{\"form_data\": \"0001\"}",
+  "Subject": "subject-0001",
+  "DeviceCodeActive": true,
+  "UserCodeState": 0,
+  "Session": "eyJzZXNzaW9uX2RhdGEiOiAiMDAwMSJ9"
+}

persistence/sql/migratest/fixtures/hydra_oauth2_flow/challenge-0018.json

@@ -9,11 +9,12 @@
     "requested_audience-0018_1",
     "requested_audience-0018_2"
   ],
-  "ls": false,
+  "ls": true,
   "s": "subject-0018",
-  "oc": {},
+  "oc": {
+    "display": "display-0018"
+  },
   "r": "http://request/0018",
-  "si": "auth_session-0018",
   "lv": "verifier-0018",
   "lc": "csrf-0018",
   "li": null,
@@ -23,7 +24,10 @@
   "lf": 15,
   "ll": true,
   "a": "acr-0018",
-  "am": [],
+  "am": [
+    "amr-0018-1",
+    "amr-0018-2"
+  ],
   "fs": "force_subject_id-0018",
   "ct": {
     "context": "0018"
@@ -38,13 +42,20 @@
     "valid": false
   },
   "la": null,
-  "di": "challenge-0018",
-  "dr": "request-0018",
-  "dv": "verifier-0018",
-  "dc": "csrf-0018",
+  "di": "device-challenge-0018",
+  "dr": "device-request-id-0018",
+  "dv": "device-verifier-0018",
+  "dc": "device-csrf-0018",
   "du": true,
-  "dh": "0001-01-01T00:00:00Z",
-  "de": null,
+  "dh": "2025-05-16T12:24:00Z",
+  "de": {
+    "error": "",
+    "error_description": "",
+    "error_hint": "",
+    "status_code": 0,
+    "error_debug": "",
+    "valid": false
+  },
   "cc": "challenge-0018",
   "cs": true,
   "cv": "verifier-0018",

persistence/sql/migratest/migration_test.go

@@ -124,7 +124,7 @@ func TestMigrations(t *testing.T) {
 				t.Run("case=hydra_client", func(t *testing.T) {
 					cs := []client.Client{}
 					require.NoError(t, c.All(&cs))
-					require.Len(t, cs, 19)
+					require.Len(t, cs, 20)
 					for _, c := range cs {
 						require.False(t, c.CreatedAt.IsZero())
 						require.False(t, c.UpdatedAt.IsZero())
@@ -155,7 +155,7 @@ func TestMigrations(t *testing.T) {
 
 				flows := []flow.Flow{}
 				require.NoError(t, c.All(&flows))
-				require.Len(t, flows, 17)
+				require.Len(t, flows, 18)
 
 				t.Run("case=hydra_oauth2_flow", func(t *testing.T) {
 					for _, f := range flows {
@@ -294,6 +294,18 @@ func TestMigrations(t *testing.T) {
 					}
 				})
 
+				t.Run("case=hydra_oauth2_device_auth_codes", func(t *testing.T) {
+					rs := []sql.DeviceRequestSQL{}
+					require.NoError(t, c.All(&rs))
+					require.Len(t, rs, 1)
+
+					for _, r := range rs {
+						testhelpersuuid.AssertUUID(t, r.NID)
+						r.NID = uuid.Nil
+						CompareWithFixture(t, r, "hydra_oauth2_device_auth_codes", r.ID)
+					}
+				})
+
 				t.Run("case=networks", func(t *testing.T) {
 					ns := []networkx.Network{}
 					require.NoError(t, c.RawQuery("SELECT * FROM networks").All(&ns))

persistence/sql/migratest/testdata/20241609000001_testdata.sql

@@ -0,0 +1,106 @@
+INSERT INTO hydra_client (id,
+                          nid,
+                          client_name,
+                          client_secret,
+                          redirect_uris,
+                          grant_types,
+                          response_types,
+                          scope,
+                          owner,
+                          policy_uri,
+                          tos_uri,
+                          client_uri,
+                          logo_uri,
+                          contacts,
+                          client_secret_expires_at,
+                          sector_identifier_uri,
+                          jwks,
+                          jwks_uri,
+                          request_uris,
+                          token_endpoint_auth_method,
+                          request_object_signing_alg,
+                          userinfo_signed_response_alg,
+                          subject_type,
+                          allowed_cors_origins,
+                          pk_deprecated,
+                          audience,
+                          created_at,
+                          updated_at,
+                          frontchannel_logout_uri,
+                          frontchannel_logout_session_required,
+                          post_logout_redirect_uris,
+                          backchannel_logout_uri,
+                          backchannel_logout_session_required,
+                          metadata,
+                          token_endpoint_auth_signing_alg,
+                          pk,
+                          registration_access_token_signature,
+                          skip_consent,
+                          skip_logout_consent,
+                          device_authorization_grant_id_token_lifespan,
+                          device_authorization_grant_access_token_lifespan,
+                          device_authorization_grant_refresh_token_lifespan)
+VALUES ('client-23',
+        (SELECT id FROM networks LIMIT 1), 'Client 23', 'secret-23', '["http://redirect/23_1","http://redirect/23_2"]', '["grant-23_1","grant-23_2"]', '["response-23_1","response-23_2"]', 'scope-23', 'owner-23', 'http://policy/23', 'http://tos/23', 'http://client/23', 'http://logo/23', '["contact-23_1","contact-23_2"]', 0, 'http://sector_id/23', '', 'http://jwks/23', '["http://request/23_1","http://request/23_2"]', 'token_auth-23', 'r_alg-23', 'u_alg-23', 'subject-23', '["http://cors/23_1","http://cors/23_2"]', 0, '["autdience-23_1","autdience-23_2"]', '2023-02-15 23:20:23.004598', '2023-02-15 23:20:23.004598', 'http://front_logout/23', true, '["http://post_redirect/23_1","http://post_redirect/23_2"]', 'http://back_logout/23', true, '{"migration": "23"}', '', '52f38352-7944-4ace-b55c-5aded28f4ba6', '', TRUE, TRUE, 3600, 3600, 3600);
+
+
+INSERT INTO hydra_oauth2_flow (login_challenge,
+                               nid,
+                               requested_scope,
+                               login_verifier,
+                               login_csrf,
+                               subject,
+                               request_url,
+                               login_skip,
+                               client_id,
+                               requested_at,
+                               oidc_context,
+                               login_session_id,
+                               requested_at_audience,
+                               login_initialized_at,
+                               state,
+                               login_remember,
+                               login_remember_for,
+                               login_error,
+                               acr,
+                               login_authenticated_at,
+                               login_was_used,
+                               forced_subject_identifier,
+                               context,
+                               amr,
+                               consent_challenge_id,
+                               consent_verifier,
+                               consent_skip,
+                               consent_csrf,
+                               granted_scope,
+                               consent_remember,
+                               consent_remember_for,
+                               consent_error,
+                               session_access_token,
+                               session_id_token,
+                               consent_was_used,
+                               granted_at_audience,
+                               consent_handled_at,
+                               login_extend_session_lifespan,
+                               device_challenge_id,
+                               device_code_request_id,
+                               device_verifier,
+                               device_csrf,
+                               device_was_used,
+                               device_handled_at,
+                               device_error)
+VALUES ('challenge-0018',
+        (SELECT id FROM networks LIMIT 1), '["requested_scope-0018_1","requested_scope-0018_2"]', 'verifier-0018', 'csrf-0018', 'subject-0018', 'http://request/0018', true, 'client-21', '2025-05-16 12:24', '{"display": "display-0018"}', NULL, '["requested_audience-0018_1","requested_audience-0018_2"]', '2025-05-16 12:24', 128, true, 15, '{}', 'acr-0018', '2025-05-16 12:24', true, 'force_subject_id-0018', '{"context": "0018"}', '["amr-0018-1","amr-0018-2"]', 'challenge-0018', 'verifier-0018', true, 'csrf-0018', '["granted_scope-0018_1","granted_scope-0018_2"]', true, 15, '{}', '{"session_access_token-0018": "0018"}', '{"session_id_token-0018": "0018"}', true, '["granted_audience-0018_1","granted_audience-0018_2"]', '2025-05-16 12:24', true, 'device-challenge-0018', 'device-request-id-0018', 'device-verifier-0018', 'device-csrf-0018', true, '2025-05-16 12:24', '{}' );
+
+INSERT INTO hydra_oauth2_device_auth_codes (device_code_signature, user_code_signature, request_id, requested_at,
+                                            client_id, scope, granted_scope, form_data, session_data, subject,
+                                            device_code_active, user_code_state, requested_audience, granted_audience,
+                                            challenge_id, expires_at, nid)
+VALUES ('device-code-signature-0001', 'user-code-signature-0001', 'request-id-0001', '2025-05-16 12:24',
+        'client-21', '["scope-0001_1","scope-0001_2"]', '["granted_scope-0001_1","granted_scope-0001_2"]',
+        '{"form_data": "0001"}',
+        '{"session_data": "0001"}', 'subject-0001', true, 0,
+        '["requested_audience-0001_1","requested_audience-0001_2"]',
+        '["granted_audience-0001_1","granted_audience-0001_2"]', 'challenge-0018', '2025-05-16 12:24',
+        (SELECT id FROM networks LIMIT 1)
+  );

persistence/sql/migrations/20241609000001000000_device_flow.autocommit.down.sql

@@ -0,0 +1,15 @@
+DROP TABLE IF EXISTS hydra_oauth2_device_auth_codes;
+
+ALTER TABLE hydra_oauth2_flow
+  DROP COLUMN IF EXISTS device_challenge_id,
+  DROP COLUMN IF EXISTS device_code_request_id,
+  DROP COLUMN IF EXISTS device_verifier,
+  DROP COLUMN IF EXISTS device_csrf,
+  DROP COLUMN IF EXISTS device_was_used,
+  DROP COLUMN IF EXISTS device_handled_at,
+  DROP COLUMN IF EXISTS device_error;
+
+ALTER TABLE hydra_client
+  DROP COLUMN IF EXISTS device_authorization_grant_id_token_lifespan,
+  DROP COLUMN IF EXISTS device_authorization_grant_access_token_lifespan,
+  DROP COLUMN IF EXISTS device_authorization_grant_refresh_token_lifespan;