letro/letro-authentication-service
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix FK constraint to preserve backchannel logout chain

Browse Source 
Change compat_sessions.user_session_id FK from ON DELETE SET NULL to ON DELETE NO ACTION. This prevents deletion of user_sessions while compat_sessions still reference them, which is critical for backchannel logout propagation.

When an upstream IdP sends a backchannel logout, MAS must trace through:
  upstream_oauth_authorization_sessions -> user_sessions -> compat_sessions

If user_session_id links are SET NULL, logout propagation fails.

Uses two-step migration (DROP+ADD NOT VALID, then VALIDATE) to minimize table locking during deployment.
This commit is contained in:
Quentin Gliech
2026-01-22 11:11:29 +01:00
parent 3b0937ca8e
commit c508c7899e
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
crates/storage-pg/migrations/20260122113523_compat_sessions_user_session_no_action.sql Normal file
View File

@@ -0,0 +1,19 @@
-- Copyright 2026 Element Creations Ltd.
--
-- SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
-- Please see LICENSE files in the repository root for full details.
-- Change compat_sessions.user_session_id FK from ON DELETE SET NULL to NO ACTION
-- This ensures user_sessions cannot be deleted while compat_sessions reference them,
-- which is required for backchannel logout propagation to work correctly.
--
-- Uses NOT VALID to avoid scanning the entire table while holding a lock.
-- A separate migration will validate the constraint.
ALTER TABLE compat_sessions
DROP CONSTRAINT compat_sessions_user_session_id_fkey,
ADD CONSTRAINT compat_sessions_user_session_id_fkey
FOREIGN KEY (user_session_id)
REFERENCES user_sessions (user_session_id)
ON DELETE NO ACTION
NOT VALID;

9
crates/storage-pg/migrations/20260122114353_compat_sessions_user_session_validate.sql Normal file
View File

@@ -0,0 +1,9 @@
-- Copyright 2026 Element Creations Ltd.
--
-- SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
-- Please see LICENSE files in the repository root for full details.
-- Validate the constraint added in the previous migration.
-- This scans the table but does not hold an exclusive lock.
ALTER TABLE compat_sessions
VALIDATE CONSTRAINT compat_sessions_user_session_id_fkey;