fix: resolve migration regressions

BREAKING CHANGES: We removed compatibility with unsupported database versions (e.g. MySQL 5.6). Ory Hydra v2.x is now compatible with MySQL 8.0.13+, PostgreSQL 11.8+, CockroachDB v22.1.2+.

.github/workflows/ci.yaml

@@ -49,15 +49,15 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:9.6
+        image: postgres:11.8
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0
+        image: mysql:8.0.26
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -150,15 +150,15 @@ jobs:
         args: ["", "--jwt"]
     services:
       postgres:
-        image: postgres:9.6
+        image: postgres:11.8
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0
+        image: mysql:8.0.26
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:

Makefile

@@ -60,8 +60,8 @@ test-resetdb: node_modules
 		docker rm -f hydra_test_database_mysql || true
 		docker rm -f hydra_test_database_postgres || true
 		docker rm -f hydra_test_database_cockroach || true
-		docker run --rm --name hydra_test_database_mysql --platform linux/amd64 -p 3444:3306 -e MYSQL_ROOT_PASSWORD=secret -d mysql:5.7
-		docker run --rm --name hydra_test_database_postgres --platform linux/amd64 -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=postgres -d postgres:9.6
+		docker run --rm --name hydra_test_database_mysql  --platform linux/amd64 -p 3444:3306 -e MYSQL_ROOT_PASSWORD=secret -d mysql:8.0.26
+		docker run --rm --name hydra_test_database_postgres --platform linux/amd64 -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=postgres -d postgres:11.8
 		docker run --rm --name hydra_test_database_cockroach --platform linux/amd64 -p 3446:26257 -d cockroachdb/cockroach:v22.1.2 start-single-node --insecure
 
 # Build local docker images

cmd/cmd_perform_authorization_code.go

@@ -188,8 +188,11 @@ and success, unless if the --no-shutdown flag is provided.`,
 				tlsc = &tls.Config{Certificates: []tls.Certificate{*cert}}
 			}
 
-			// #nosec G112 false positive
-			server := graceful.WithDefaults(&http.Server{Addr: fmt.Sprintf(":%d", port), Handler: r, TLSConfig: tlsc})
+			server := graceful.WithDefaults(&http.Server{
+				Addr:    fmt.Sprintf(":%d", port),
+				Handler: r, TLSConfig: tlsc,
+				ReadHeaderTimeout: time.Second * 5,
+			})
 			var shutdown = func() {
 				time.Sleep(time.Second * 1)
 				ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)

cmd/server/handler.go

@@ -319,8 +319,9 @@ func serve(
 	}
 
 	var srv = graceful.WithDefaults(&http.Server{
-		Handler:   handler,
-		TLSConfig: tlsConfig,
+		Handler:           handler,
+		TLSConfig:         tlsConfig,
+		ReadHeaderTimeout: time.Second * 5,
 	})
 
 	if err := graceful.Graceful(func() error {

go.mod

@@ -50,7 +50,7 @@ require (
 	github.com/ory/herodot v0.9.13
 	github.com/ory/hydra-client-go v1.11.8
 	github.com/ory/jsonschema/v3 v3.0.7
-	github.com/ory/x v0.0.442
+	github.com/ory/x v0.0.443
 	github.com/pborman/uuid v1.2.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0

go.sum

@@ -1360,8 +1360,8 @@ github.com/ory/jsonschema/v3 v3.0.7 h1:GQ9qfZDiJqs4l2d3p56dozCChvejQFZyLKGHYzDzO
 github.com/ory/jsonschema/v3 v3.0.7/go.mod h1:g8c8YOtN4TrR2wYeMdT02GDmzJDI0fEW2nI26BECafY=
 github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
 github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM=
-github.com/ory/x v0.0.442 h1:/FCJw7vaWwEN38WKdYOlEt4vXh25yD/B0rkKwXPMSYo=
-github.com/ory/x v0.0.442/go.mod h1:kB0Nf6sgWsDl7M0QjDmfyKheDc/LF999wzhKHQ2Kop0=
+github.com/ory/x v0.0.443 h1:AfQZLs1Li6es8kohd8WStr4u7wBSdS+QUUuCB+Iws+8=
+github.com/ory/x v0.0.443/go.mod h1:kB0Nf6sgWsDl7M0QjDmfyKheDc/LF999wzhKHQ2Kop0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=

internal/driver.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"context"
 
-	"strings"
 	"sync"
 	"testing"
 
@@ -76,29 +75,15 @@ func CleanAndMigrate(reg driver.Registry) func(*testing.T) {
 }
 
 func ConnectToMySQL(t *testing.T) string {
-	c := dockertest.ConnectToTestMySQLPop(t)
-	url := c.URL()
-	if !strings.HasPrefix(url, "mysql://") {
-		url = "mysql://" + url
-	}
-	require.NoError(t, c.Close())
-	return url
+	return dockertest.RunTestMySQLWithVersion(t, "11.8")
 }
 
 func ConnectToPG(t *testing.T) string {
-	c := dockertest.ConnectToTestPostgreSQLPop(t)
-	require.NoError(t, c.Close())
-	return c.URL()
+	return dockertest.RunTestPostgreSQLWithVersion(t, "11.8")
 }
 
 func ConnectToCRDB(t *testing.T) string {
-	c := dockertest.ConnectToTestCockroachDBPop(t)
-	url := c.URL()
-	if !strings.HasPrefix(url, "cockroach") {
-		url = "cockroach://" + strings.Split(url, "://")[1]
-	}
-	require.NoError(t, c.Close())
-	return url
+	return dockertest.RunTestCockroachDBWithVersion(t, "v22.1.2")
 }
 
 func ConnectDatabases(t *testing.T, migrate bool, ctxer contextx.Contextualizer) (pg, mysql, crdb driver.Registry, clean func(*testing.T)) {

persistence/sql/migrations/20211004110001000000_change_client_primary_key.cockroach.down.sql

@@ -1 +1 @@
-ALTER TABLE hydra_client DROP CONSTRAINT "primary", ADD CONSTRAINT "primary" PRIMARY KEY (pk_deprecated);
+ALTER TABLE hydra_client DROP CONSTRAINT "hydra_client_pkey", ADD CONSTRAINT "primary" PRIMARY KEY (pk_deprecated);

persistence/sql/migrations/20211011000001000000_change_jwk_primary_key.cockroach.down.sql

@@ -1 +1 @@
-ALTER TABLE hydra_jwk DROP CONSTRAINT "primary", ADD CONSTRAINT "primary" PRIMARY KEY (pk_deprecated);
+ALTER TABLE hydra_jwk DROP CONSTRAINT "hydra_jwk", ADD CONSTRAINT "primary" PRIMARY KEY (pk_deprecated);

persistence/sql/migrations/20211011000003000000_change_jwk_primary_key.cockroach.up.sql

@@ -1,2 +1,2 @@
 ALTER TABLE hydra_jwk DROP CONSTRAINT "primary";
-ALTER TABLE hydra_jwk ADD CONSTRAINT "hydra_client_pkey" PRIMARY KEY (pk);
+ALTER TABLE hydra_jwk ADD CONSTRAINT "hydra_jwk_pkey" PRIMARY KEY (pk);

persistence/sql/migrations/20211019000001000000_merge_authentication_request_tables.cockroach.up.sql

@@ -3,45 +3,45 @@
 CREATE TABLE hydra_oauth2_flow
 (
     login_challenge           character varying(40) NOT NULL,
-    requested_scope           text NOT NULL,
+    requested_scope           text NOT NULL DEFAULT '[]',
     login_verifier            character varying(40) NOT NULL,
     login_csrf                character varying(40) NOT NULL,
     subject                   character varying(255) NOT NULL,
     request_url               text NOT NULL,
     login_skip                boolean NOT NULL,
     client_id                 character varying(255) NOT NULL,
     requested_at              timestamp without time zone DEFAULT now() NOT NULL,
-    oidc_context              text NOT NULL,
-    login_session_id          character varying(40),
-    requested_at_audience     text DEFAULT ''::text,
-    login_initialized_at      timestamp without time zone,
+    login_initialized_at      timestamp without time zone NULL DEFAULT NULL,
+    oidc_context              jsonb NOT NULL DEFAULT '{}',
+    login_session_id          character varying(40) NULL,
+    requested_at_audience     text NULL DEFAULT '[]',
 
     state                     INTEGER      NOT NULL,
 
-    login_remember boolean,
-    login_remember_for integer,
-    login_error text,
-    acr text,
-    login_authenticated_at timestamp without time zone,
-    login_was_used boolean,
-    forced_subject_identifier character varying(255) DEFAULT ''::character varying,
-    context text DEFAULT '{}'::text,
-    amr text DEFAULT ''::text,
+    login_remember boolean NOT NULL DEFAULT false,
+    login_remember_for integer NOT NULL,
+    login_error text NULL,
+    acr text  NOT NULL DEFAULT '',
+    login_authenticated_at timestamp without time zone NULL DEFAULT NULL,
+    login_was_used boolean NOT NULL DEFAULT false,
+    forced_subject_identifier character varying(255) NOT NULL DEFAULT ''::character varying,
+    context jsonb DEFAULT '{}',
+    amr text DEFAULT '[]',
 
-    consent_challenge_id character varying(40),
-    consent_verifier character varying(40),
+    consent_challenge_id character varying(40) NULL,
     consent_skip boolean DEFAULT false NOT NULL,
-    consent_csrf character varying(40),
+    consent_verifier character varying(40) NULL,
+    consent_csrf character varying(40) NULL,
 
-    granted_scope text,
+    granted_scope text NOT NULL DEFAULT '[]',
+    granted_at_audience text NOT NULL DEFAULT '[]',
     consent_remember boolean DEFAULT false NOT NULL,
-    consent_remember_for integer,
-    consent_error text,
-    session_access_token text DEFAULT '{}'::text NOT NULL,
-    session_id_token text DEFAULT '{}'::text NOT NULL,
+    consent_remember_for integer NULL,
+    consent_handled_at TIMESTAMP WITHOUT TIME ZONE NULL,
+    consent_error TEXT NULL,
+    session_access_token jsonb DEFAULT '{}' NOT NULL,
+    session_id_token jsonb DEFAULT '{}' NOT NULL,
     consent_was_used boolean DEFAULT false NOT NULL,
-    granted_at_audience text DEFAULT ''::text,
-    consent_handled_at timestamp without time zone
 
     CHECK (
         state = 128 OR