storage: get both the stable & unstable scopes when looking for devices

Author: sandhose

crates/storage-pg/.sqlx/query-373f7eb215b0e515b000a37e55bd055954f697f257de026b74ec408938a52a1a.json

@@ -499,17 +499,24 @@ impl AppSessionRepository for PgAppSessionRepository<'_> {
         .instrument(span)
         .await?;
 
-        if let Ok(device_as_scope_token) = device.to_scope_token() {
+        if let Ok([stable_device_as_scope_token, unstable_device_as_scope_token]) =
+            device.to_scope_token()
+        {
             let span = tracing::info_span!(
                 "db.app_session.finish_sessions_to_replace_device.oauth2_sessions",
                 { DB_QUERY_TEXT } = tracing::field::Empty,
             );
             sqlx::query!(
                 "
-                    UPDATE oauth2_sessions SET finished_at = $3 WHERE user_id = $1 AND $2 = ANY(scope_list) AND finished_at IS NULL
+                    UPDATE oauth2_sessions
+                    SET finished_at = $4
+                    WHERE user_id = $1
+                      AND ($2 = ANY(scope_list) OR $3 = ANY(scope_list))
+                      AND finished_at IS NULL
                 ",
                 Uuid::from(user.id),
-                device_as_scope_token.as_str(),
+                stable_device_as_scope_token.as_str(),
+                unstable_device_as_scope_token.as_str(),
                 finished_at
             )
             .record(&span)
@@ -652,7 +659,10 @@ mod tests {
             .unwrap();
 
         let device2 = Device::generate(&mut rng);
-        let scope = Scope::from_iter([OPENID, device2.to_scope_token().unwrap()]);
+        let scope: Scope = [OPENID]
+            .into_iter()
+            .chain(device2.to_scope_token().unwrap().into_iter())
+            .collect();
 
         // We're moving the clock forward by 1 minute between each session to ensure
         // we're getting consistent ordering in lists.

crates/storage-pg/.sqlx/query-5da7a197e0008f100ad4daa78f4aa6515f0fc9eb54075e8d6d15520d25b75172.json

@@ -15,7 +15,10 @@ use mas_storage::{
 };
 use oauth2_types::scope::{Scope, ScopeToken};
 use rand::RngCore;
-use sea_query::{Expr, PgFunc, PostgresQueryBuilder, Query, enum_def, extension::postgres::PgExpr};
+use sea_query::{
+    Condition, Expr, PgFunc, PostgresQueryBuilder, Query, SimpleExpr, enum_def,
+    extension::postgres::PgExpr,
+};
 use sea_query_binder::SqlxBinder;
 use sqlx::PgConnection;
 use ulid::Ulid;
@@ -126,12 +129,19 @@ impl Filter for OAuth2SessionFilter<'_> {
                         .ne(Expr::all(static_clients))
                 }
             }))
-            .add_option(self.device().map(|device| {
-                if let Ok(scope_token) = device.to_scope_token() {
-                    Expr::val(scope_token.to_string()).eq(PgFunc::any(Expr::col((
-                        OAuth2Sessions::Table,
-                        OAuth2Sessions::ScopeList,
-                    ))))
+            .add_option(self.device().map(|device| -> SimpleExpr {
+                if let Ok([stable_scope_token, unstable_scope_token]) = device.to_scope_token() {
+                    Condition::any()
+                        .add(
+                            Expr::val(stable_scope_token.to_string()).eq(PgFunc::any(Expr::col((
+                                OAuth2Sessions::Table,
+                                OAuth2Sessions::ScopeList,
+                            )))),
+                        )
+                        .add(Expr::val(unstable_scope_token.to_string()).eq(PgFunc::any(
+                            Expr::col((OAuth2Sessions::Table, OAuth2Sessions::ScopeList)),
+                        )))
+                        .into()
                 } else {
                     // If the device ID can't be encoded as a scope token, match no rows
                     Expr::val(false).into()