fix: OIDC tables FK references merchants instead of auth.users

Same issue as webauthn — all four OIDC tables (oauth_clients,
oauth_authorization_codes, oauth_refresh_tokens, oauth_consents)
referenced auth.users(id) but the app uses merchants table.

Migration drops and recreates all OIDC tables with correct FKs.
Added error logging to client creation route.

Author: ralyodio

src/app/api/oauth/clients/route.ts

@@ -91,6 +91,7 @@ export async function POST(request: NextRequest) {
     .single();
 
   if (error) {
+    console.error('[OAuth] Failed to create client:', error.message, error.code, error.details);
     return NextResponse.json(
       { success: false, error: 'Failed to create client' },
       { status: 500 }

supabase/migrations/20260318050000_fix_oidc_fk.sql

@@ -0,0 +1,74 @@
+-- Fix all OIDC tables: reference merchants(id) instead of auth.users(id)
+-- The app uses a custom merchants table with its own JWT auth
+
+-- Drop dependent tables first (FK ordering)
+DROP TABLE IF EXISTS oauth_consents;
+DROP TABLE IF EXISTS oauth_refresh_tokens;
+DROP TABLE IF EXISTS oauth_authorization_codes;
+DROP TABLE IF EXISTS oauth_clients;
+
+-- Recreate oauth_clients
+CREATE TABLE oauth_clients (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  client_id TEXT UNIQUE NOT NULL DEFAULT 'cp_' || substr(md5(random()::text), 1, 24),
+  client_secret TEXT NOT NULL,
+  name TEXT NOT NULL,
+  description TEXT,
+  redirect_uris TEXT[] NOT NULL DEFAULT '{}',
+  scopes TEXT[] NOT NULL DEFAULT '{openid,profile,email}',
+  owner_id UUID REFERENCES merchants(id) ON DELETE CASCADE,
+  is_active BOOLEAN NOT NULL DEFAULT true,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Authorization codes (short-lived, exchanged for tokens)
+CREATE TABLE oauth_authorization_codes (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  code TEXT UNIQUE NOT NULL,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  user_id UUID NOT NULL REFERENCES merchants(id) ON DELETE CASCADE,
+  redirect_uri TEXT NOT NULL,
+  scopes TEXT[] NOT NULL DEFAULT '{}',
+  code_challenge TEXT,
+  code_challenge_method TEXT DEFAULT 'S256',
+  expires_at TIMESTAMPTZ NOT NULL,
+  used BOOLEAN NOT NULL DEFAULT false,
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Refresh tokens
+CREATE TABLE oauth_refresh_tokens (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  token TEXT UNIQUE NOT NULL,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  user_id UUID NOT NULL REFERENCES merchants(id) ON DELETE CASCADE,
+  scopes TEXT[] NOT NULL DEFAULT '{}',
+  expires_at TIMESTAMPTZ NOT NULL,
+  revoked BOOLEAN NOT NULL DEFAULT false,
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Consents (remember user's approval per client)
+CREATE TABLE oauth_consents (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES merchants(id) ON DELETE CASCADE,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  scopes TEXT[] NOT NULL DEFAULT '{}',
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW(),
+  UNIQUE(user_id, client_id)
+);
+
+-- Re-enable RLS on all tables
+ALTER TABLE oauth_clients ENABLE ROW LEVEL SECURITY;
+ALTER TABLE oauth_authorization_codes ENABLE ROW LEVEL SECURITY;
+ALTER TABLE oauth_refresh_tokens ENABLE ROW LEVEL SECURITY;
+ALTER TABLE oauth_consents ENABLE ROW LEVEL SECURITY;
+
+-- Indexes
+CREATE INDEX idx_oauth_codes_client ON oauth_authorization_codes(client_id);
+CREATE INDEX idx_oauth_codes_user ON oauth_authorization_codes(user_id);
+CREATE INDEX idx_oauth_refresh_client ON oauth_refresh_tokens(client_id);
+CREATE INDEX idx_oauth_refresh_user ON oauth_refresh_tokens(user_id);
+CREATE INDEX idx_oauth_consents_user ON oauth_consents(user_id);