From cb0ca96a7b95d3cea8a9a9d3e6012836e41aca62 Mon Sep 17 00:00:00 2001
From: Harry Anderson <harry.anderson@smartcontract.com>
Date: Thu, 26 Mar 2026 22:46:56 +0000
Subject: [PATCH] fix: use transaction context in OIDC/LDAP SetAuthToken and
 fix SQL column count

---
 core/sessions/ldapauth/ldap.go | 6 +++---
 core/sessions/oidcauth/oidc.go | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/core/sessions/ldapauth/ldap.go b/core/sessions/ldapauth/ldap.go
index 8cfa90269a8..ca9f2dcaa9e 100644
--- a/core/sessions/ldapauth/ldap.go
+++ b/core/sessions/ldapauth/ldap.go
@@ -554,17 +554,17 @@ func (l *ldapAuthenticator) SetAuthToken(ctx context.Context, user *sessions.Use
 		// Check presence in local users table. Set localauth_user column true if present.
 		// This flag omits the session/token from being purged by the sync daemon/reaper.go
 		isLocalCLIAdmin := false
-		err = l.ds.QueryRowxContext(ctx, "SELECT EXISTS (SELECT 1 FROM users WHERE email = $1)", user.Email).Scan(&isLocalCLIAdmin)
+		err = tx.QueryRowxContext(ctx, "SELECT EXISTS (SELECT 1 FROM users WHERE email = $1)", user.Email).Scan(&isLocalCLIAdmin)
 		if err != nil {
 			return fmt.Errorf("error checking user presence in users table: %w", err)
 		}
 
 		// Remove any existing API tokens
-		if _, err = l.ds.ExecContext(ctx, "DELETE FROM ldap_user_api_tokens WHERE user_email = $1", user.Email); err != nil {
+		if _, err = tx.ExecContext(ctx, "DELETE FROM ldap_user_api_tokens WHERE user_email = $1", user.Email); err != nil {
 			return fmt.Errorf("error executing DELETE FROM ldap_user_api_tokens: %w", err)
 		}
 		// Create new API token for user
-		_, err = l.ds.ExecContext(
+		_, err = tx.ExecContext(
 			ctx,
 			"INSERT INTO ldap_user_api_tokens (user_email, user_role, localauth_user, token_key, token_salt, token_hashed_secret, created_at) VALUES ($1, $2, $3, $4, $5, $6, now())",
 			user.Email,
diff --git a/core/sessions/oidcauth/oidc.go b/core/sessions/oidcauth/oidc.go
index 06258bd1d55..2ee3b055b2a 100644
--- a/core/sessions/oidcauth/oidc.go
+++ b/core/sessions/oidcauth/oidc.go
@@ -517,12 +517,12 @@ func (oi *oidcAuthenticator) SetAuthToken(ctx context.Context, user *clsessions.
 
 	err = sqlutil.TransactDataSource(ctx, oi.ds, nil, func(tx sqlutil.DataSource) error {
 		// Remove any existing API tokens
-		if _, err = oi.ds.ExecContext(ctx, "DELETE FROM oidc_user_api_tokens WHERE user_email = $1", user.Email); err != nil {
+		if _, err = tx.ExecContext(ctx, "DELETE FROM oidc_user_api_tokens WHERE user_email = $1", user.Email); err != nil {
 			return fmt.Errorf("error executing DELETE FROM oidc_user_api_tokens: %w", err)
 		}
 		// Create new API token for user
-		_, err = oi.ds.ExecContext(ctx,
-			"INSERT INTO oidc_user_api_tokens (user_email, user_role, token_key, token_salt, token_hashed_secret, created_at) VALUES ($1, $2, $3, $4, $5, $6, now())",
+		_, err = tx.ExecContext(ctx,
+			"INSERT INTO oidc_user_api_tokens (user_email, user_role, token_key, token_salt, token_hashed_secret, created_at) VALUES ($1, $2, $3, $4, $5, now())",
 			user.Email,
 			user.Role,
 			token.AccessKey,