refactor: update device session persistence logic

consent/handler_test.go

@@ -340,12 +340,13 @@ func TestAcceptDeviceRequest(t *testing.T) {
 			DefaultSession: &openid.DefaultSession{
 				Headers: &jwt.Headers{},
 			},
-			BrowserFlowCompleted: false,
 		},
 	)
+	_, deviceCodesig, err := reg.RFC8628HMACStrategy().GenerateDeviceCode(ctx)
+	require.NoError(t, err)
 	userCode, sig, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
 	require.NoError(t, err)
-	reg.OAuth2Storage().CreateUserCodeSession(ctx, sig, deviceRequest)
+	reg.OAuth2Storage().CreateDeviceAuthSession(ctx, deviceCodesig, sig, deviceRequest)
 	require.NoError(t, err)
 
 	acceptUserCode := &hydra.AcceptDeviceUserCodeRequest{UserCode: &userCode}
@@ -408,12 +409,13 @@ func TestAcceptDuplicateDeviceRequest(t *testing.T) {
 			DefaultSession: &openid.DefaultSession{
 				Headers: &jwt.Headers{},
 			},
-			BrowserFlowCompleted: false,
 		},
 	)
+	_, deviceCodesig, err := reg.RFC8628HMACStrategy().GenerateDeviceCode(ctx)
+	require.NoError(t, err)
 	userCode, sig, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
 	require.NoError(t, err)
-	reg.OAuth2Storage().CreateUserCodeSession(ctx, sig, deviceRequest)
+	reg.OAuth2Storage().CreateDeviceAuthSession(ctx, deviceCodesig, sig, deviceRequest)
 	require.NoError(t, err)
 
 	acceptUserCode := &hydra.AcceptDeviceUserCodeRequest{UserCode: &userCode}
@@ -499,7 +501,6 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				userCode, _, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
@@ -523,7 +524,6 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				userCode := ""
@@ -546,7 +546,6 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				userCode, _, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
@@ -570,7 +569,6 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				userCode, _, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
@@ -594,22 +592,22 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
+				_, deviceCodesig, err := reg.RFC8628HMACStrategy().GenerateDeviceCode(ctx)
+				require.NoError(t, err)
 				userCode, sig, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)
 				require.NoError(t, err)
 				deviceRequest.SetSession(
 					&oauth2.Session{
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				exp := time.Now().UTC()
 				deviceRequest.Session.SetExpiresAt(fosite.UserCode, exp)
-				err = reg.OAuth2Storage().CreateUserCodeSession(ctx, sig, deviceRequest)
+				err = reg.OAuth2Storage().CreateDeviceAuthSession(ctx, deviceCodesig, sig, deviceRequest)
 				require.NoError(t, err)
 				return json.Marshal(&hydra.AcceptDeviceUserCodeRequest{UserCode: &userCode})
 			},
@@ -633,7 +631,6 @@ func TestAcceptCodeDeviceRequestFailure(t *testing.T) {
 						DefaultSession: &openid.DefaultSession{
 							Headers: &jwt.Headers{},
 						},
-						BrowserFlowCompleted: false,
 					},
 				)
 				userCode, _, err := reg.RFC8628HMACStrategy().GenerateUserCode(ctx)

consent/manager.go

@@ -6,7 +6,6 @@ package consent
 import (
 	"context"
 
-	"github.com/gobuffalo/pop/v6"
 	"github.com/gofrs/uuid"
 
 	"github.com/ory/hydra/v2/client"
@@ -66,8 +65,6 @@ type (
 		GetDeviceUserAuthRequest(ctx context.Context, challenge string) (*flow.DeviceUserAuthRequest, error)
 		HandleDeviceUserAuthRequest(ctx context.Context, f *flow.Flow, challenge string, r *flow.HandledDeviceUserAuthRequest) (*flow.DeviceUserAuthRequest, error)
 		VerifyAndInvalidateDeviceUserAuthRequest(ctx context.Context, verifier string) (*flow.HandledDeviceUserAuthRequest, error)
-
-		Transaction(context.Context, func(ctx context.Context, c *pop.Connection) error) error
 	}
 
 	ManagerProvider interface {

consent/strategy_default.go

@@ -13,7 +13,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/gobuffalo/pop/v6"
 	"github.com/gorilla/sessions"
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/pborman/uuid"
@@ -1243,15 +1242,10 @@ func (s *DefaultStrategy) HandleOAuth2DeviceAuthorizationRequest(
 	var consentSession *flow.AcceptOAuth2ConsentRequest
 	var f *flow.Flow
 
-	err = s.r.ConsentManager().Transaction(ctx, func(ctx context.Context, c *pop.Connection) error {
-		consentSession, f, err = s.verifyConsent(ctx, w, r, consentVerifier)
-		if err != nil {
-			return err
-		}
-		err = s.r.OAuth2Storage().UpdateAndInvalidateUserCodeSessionByRequestID(ctx, string(f.DeviceCodeRequestID), f.ID)
-
-		return err
-	})
+	consentSession, f, err = s.verifyConsent(ctx, w, r, consentVerifier)
+	if err != nil {
+		return nil, nil, err
+	}
 
 	return consentSession, f, err
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -30,8 +30,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "requester": {
     "client_id": "app-client",

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -31,8 +31,7 @@
     "consent_challenge": "",
     "exclude_not_before_claim": false,
     "allowed_top_level_claims": [],
-    "mirror_top_level_claims": true,
-    "browser_flow_completed": false
+    "mirror_top_level_claims": true
   },
   "request": {
     "client_id": "app-client",

oauth2/.snapshots/TestUnmarshalSession-v1.11.8.json

@@ -47,6 +47,5 @@
     "zone",
     "login_session_id"
   ],
-  "mirror_top_level_claims": false,
-  "browser_flow_completed": false
+  "mirror_top_level_claims": false
 }

oauth2/.snapshots/TestUnmarshalSession-v1.11.9.json

@@ -47,6 +47,5 @@
     "zone",
     "login_session_id"
   ],
-  "mirror_top_level_claims": false,
-  "browser_flow_completed": false
+  "mirror_top_level_claims": false
 }

oauth2/fixtures/v1.11.8-session.json

@@ -44,6 +44,5 @@
     "market",
     "zone",
     "login_session_id"
-  ],
-  "BrowserFlowCompleted": false
+  ]
 }

oauth2/fixtures/v1.11.9-session.json

@@ -44,6 +44,5 @@
     "market",
     "zone",
     "login_session_id"
-  ],
-  "browser_flow_completed": false
+  ]
 }

oauth2/handler.go

@@ -729,6 +729,15 @@ func (h *Handler) getOidcUserInfo(w http.ResponseWriter, r *http.Request) {
 func (h *Handler) performOAuth2DeviceVerificationFlow(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	ctx := r.Context()
 
+	// When this endpoint is called with a valid consent_verifier (meaning that the login flow completed successfully)
+	// there are 3 writes happening to the database:
+	// - The flow is created
+	// - The device auth session is updated (user_code is marked as accepted)
+	// - The OpenID session is created
+	// If there were multiple flows created for the same user_code then we may end up with multiple flow objects
+	// persisted to the database, while only one of them was actually used to validate the user_code
+	// (see https://github.com/ory/hydra/pull/3851#discussion_r1843678761)
+	// TODO: We should wrap these queries in a transaction
 	consentSession, f, err := h.r.ConsentStrategy().HandleOAuth2DeviceAuthorizationRequest(ctx, w, r)
 	if errors.Is(err, consent.ErrAbortOAuth2Request) {
 		x.LogAudit(r, nil, h.r.AuditLogger())
@@ -753,18 +762,18 @@ func (h *Handler) performOAuth2DeviceVerificationFlow(w http.ResponseWriter, r *
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
+	req.SetUserCodeState(fosite.UserCodeAccepted)
 	session, err := h.updateSessionWithRequest(ctx, consentSession, f, r, req, req.GetSession().(*Session))
 	if err != nil {
 		h.r.Writer().WriteError(w, r, err)
 		return
 	}
-	session.SetBrowserFlowCompleted(true)
-
 	req.SetSession(session)
 	// Update the device code session with
 	//   - the claims for which the user gave consent
 	//   - the granted scopes
 	//   - the granted audiences
+	//   - the user_code_state set to accepted
 	// This marks it as ready to be used for the token exchange endpoint.
 	err = h.r.OAuth2Storage().UpdateDeviceCodeSessionByRequestID(ctx, f.DeviceCodeRequestID.String(), req)
 	if err != nil {
@@ -862,7 +871,6 @@ func (h *Handler) oAuth2DeviceFlow(w http.ResponseWriter, r *http.Request) {
 		DefaultSession: &openid.DefaultSession{
 			Headers: &jwt.Headers{},
 		},
-		BrowserFlowCompleted: false,
 	}
 
 	resp, err := h.r.OAuth2Provider().NewDeviceResponse(ctx, request, session)