From 4bfb707ff3ac1507789de02505d5e06dea1f0a5f Mon Sep 17 00:00:00 2001
From: DaydreamCoding <22166516+DaydreamCoding@users.noreply.github.com>
Date: Thu, 21 May 2026 00:35:47 +0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20user=5Fprovider=5Fdefault=5Fgrants?=
 =?UTF-8?q?=20=E5=8A=A0=E5=85=A5=20github/google/dingtalk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

migration 135/136 把 github、google、dingtalk 加到 users / auth_identities /
auth_identity_channels / pending_auth_sessions 的 check 约束时，漏改
user_provider_default_grants。一旦管理员开启 grant_on_first_bind，OAuth 首次
绑定就会在 INSERT user_provider_default_grants 时撞约束，触发 500。
---
 ...140_extend_user_provider_default_grants_check.sql | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 backend/migrations/140_extend_user_provider_default_grants_check.sql

diff --git a/backend/migrations/140_extend_user_provider_default_grants_check.sql b/backend/migrations/140_extend_user_provider_default_grants_check.sql
new file mode 100644
index 00000000..c739e6e0
--- /dev/null
+++ b/backend/migrations/140_extend_user_provider_default_grants_check.sql
@@ -0,0 +1,12 @@
+-- 修复：user_provider_default_grants 表的 provider_type check 约束
+-- 与 auth_identities / auth_identity_channels / pending_auth_sessions 保持一致，
+-- 否则启用了 auth_source_default_{github,google,dingtalk}_grant_on_first_bind
+-- 之后，OAuth 首次绑定流程会因约束违反而失败。
+-- 参见 migrations 135、136 漏改本表。
+
+ALTER TABLE user_provider_default_grants
+    DROP CONSTRAINT IF EXISTS user_provider_default_grants_provider_type_check;
+
+ALTER TABLE user_provider_default_grants
+    ADD CONSTRAINT user_provider_default_grants_provider_type_check
+    CHECK (provider_type IN ('email', 'linuxdo', 'wechat', 'oidc', 'github', 'google', 'dingtalk'));