Delete user related oauth stuff on user deletion too (#19677)

* delete user related oauth stuff on user deletion too

* extend doctor check-db-consistency

diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 4d44a8842ad0cbfd57e4f6974fac712735eb7df6..ca77fcdb78266ce45ea88fe2cd7efd4b096502a9 100644 (file)
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -5,6 +5,7 @@
 package auth
 
 import (
+       "context"
        "crypto/sha256"
        "encoding/base32"
        "encoding/base64"
@@ -18,6 +19,7 @@ import (
 
        uuid "github.com/google/uuid"
        "golang.org/x/crypto/bcrypt"
+       "xorm.io/builder"
        "xorm.io/xorm"
 )
 
@@ -576,3 +578,21 @@ func GetActiveOAuth2SourceByName(name string) (*Source, error) {
 
        return authSource, nil
 }
+
+func DeleteOAuth2RelictsByUserID(ctx context.Context, userID int64) error {
+       deleteCond := builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": userID})
+
+       if _, err := db.GetEngine(ctx).In("grant_id", deleteCond).
+               Delete(&OAuth2AuthorizationCode{}); err != nil {
+               return err
+       }
+
+       if err := db.DeleteBeans(ctx,
+               &OAuth2Application{UID: userID},
+               &OAuth2Grant{UserID: userID},
+       ); err != nil {
+               return fmt.Errorf("DeleteBeans: %v", err)
+       }
+
+       return nil
+}

diff --git a/models/user.go b/models/user.go
index e805c746cbc72a737d14871a4c2c62f008657a25..6816527e47bb9f8e17eb9ef72275f644059cc594 100644 (file)
--- a/models/user.go
+++ b/models/user.go
@@ -13,6 +13,7 @@ import (
        _ "image/jpeg" // Needed for jpeg support
 
        asymkey_model "code.gitea.io/gitea/models/asymkey"
+       auth_model "code.gitea.io/gitea/models/auth"
        "code.gitea.io/gitea/models/db"
        "code.gitea.io/gitea/models/issues"
        "code.gitea.io/gitea/models/organization"
@@ -89,6 +90,10 @@ func DeleteUser(ctx context.Context, u *user_model.User) (err error) {
                return fmt.Errorf("deleteBeans: %v", err)
        }
 
+       if err := auth_model.DeleteOAuth2RelictsByUserID(ctx, u.ID); err != nil {
+               return err
+       }
+
        if setting.Service.UserDeleteWithCommentsMaxTime != 0 &&
                u.CreatedUnix.AsTime().Add(setting.Service.UserDeleteWithCommentsMaxTime).After(time.Now()) {
 

diff --git a/modules/doctor/dbconsistency.go b/modules/doctor/dbconsistency.go
index 6b5755608b5885ff7e9a9dfcc6f88d7f6109c0be..9ab8feb6794b11c72a3eedcd947cf0825ad8f09c 100644 (file)
--- a/modules/doctor/dbconsistency.go
+++ b/modules/doctor/dbconsistency.go
@@ -186,6 +186,15 @@ func checkDBConsistency(ctx context.Context, logger log.Logger, autofix bool) er
                // find action without repository
                genericOrphanCheck("Action entries without existing repository",
                        "action", "repository", "action.repo_id=repository.id"),
+               // find OAuth2Grant without existing user
+               genericOrphanCheck("Orphaned OAuth2Grant without existing User",
+                       "oauth2_grant", "user", "oauth2_grant.user_id=user.id"),
+               // find OAuth2Application without existing user
+               genericOrphanCheck("Orphaned OAuth2Application without existing User",
+                       "oauth2_application", "user", "oauth2_application.uid=user.id"),
+               // find OAuth2AuthorizationCode without existing OAuth2Grant
+               genericOrphanCheck("Orphaned OAuth2AuthorizationCode without existing OAuth2Grant",
+                       "oauth2_authorization_code", "oauth2_grant", "oauth2_authorization_code.grant_id=oauth2_grant.id"),
        )
 
        for _, c := range consistencyChecks {